Team: Huntress EDR
Product: Firewall Status
Environment: Windows Defender Firewall
Summary: Huntress reports the status of Windows Defender Firewall.
Huntress’ Firewall status allows the ability to view the status of Windows Defender Firewall on the protected Endpoints. The host is reviewed by our system for the Windows Firewall Profiles to ensure they are all enabled.
More information about Windows Firewall Profiles here: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ics/windows-firewall-profiles
Enabling and Managing Windows Defender Firewall
Microsoft's Defender Firewall should be enabled by default, however if not you'll want to re-enable it and the best place to start is with these external links from Microsoft (in order of increasing complexity)
- Enable the firewall on a specific host: https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows
- Best practices for configuring Windows Defender Firewall: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring
- Enable the firewall via PowerShell commands: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell#enable-windows-defender-firewall-with-advanced-security Please note it's generally not a good idea to run these particular commands programmatically across your entire account as it could accidentally block key services or disrupt server communications. Instead we recommend running those commands on a case by case basis. For reference those PowerShell commands are:
netsh advfirewall set allprofiles state on
-=OR=-
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
You can then verify the setting has applied with this PowerShell command:
Get-NetFirewallProfile | Select Name, Enabled
Although Huntress is able to view the status of the firewall, support in enabling the firewall is limited. Please reach out to Microsoft support or review the articles above if there are any issues enabling the firewall properly.
Defender Firewall Managed through GPO
When checking for the host's Firewall status, if managed through GPO we are looking for the active profiles to be set to enabled at the same level as the GPO. Examples of what that would look like would be shown below, but must be configured for the active profiles as well as at the level the GPO is configured.
Comments
0 comments
Article is closed for comments.