Free Trial
Schedule Demo
Comments
When an attacker compromises a server, one of the first things they may go after is the host based firewall. Modifying the firewall can permit them to transfer a rootkit onto the local system, or open a backdoor through which they can maintain long term access. Both the Linux and the Windows version of Halo have the ability to detect and alert on firewall changes. Detected changes can then be reviewed via the Halo interface. While Linux changes are relatively straightforward to read, as they are formatted one change per line, the Windows output can be a bit more difficult to follow as it is quite verbose. In this post I’ll cover how to make sense of the output when a change is detected on a Windows system’s firewall.
As the gatekeeper to system access, firewall integrity is a major concern. Far too often we have a “set it and forget it” attitude when it comes to the firewall configuration. If an attacker wishes to further expose a compromised system, the first step is going to be modifying the local firewall rules.
While Halo could simply reapply the firewall rules at regular intervals in a vain attempt to thwart the activity, this would alert the attacker you have implemented additional security measures and still fail to inform you that your system has been compromised. Further, it would make administration more difficult if for some reason you need to make a temporary firewall change outside of the Halo interface.
Windows Firewall Output
Windows has the ability to output the firewall rules in two different formats. The first is a binary format which is not human readable, but is useful if you ever need to backup your firewall rules. The second format is readable text similar to the following:
Rule Name: Netlogon Service (NP-In) ---------------------------------------------------------------------- Enabled: No Direction: In Profiles: Domain,Private,Public Grouping: Netlogon Service LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 445 RemotePort: Any Edge traversal: No Action: Allow
Note that the above output conveys a lot of useful information, it is just spread out over multiple lines. Here’s what each of the field mean:
This verbose output can be problematic when firewall rule changes are detected. Consider the output in Figure 1 which is Halo reporting a firewall change on a Windows system. Remember that new rules are displayed in green while missing rules are presented in red.
Note that it appears two changes have taken place:
While this is technically correct, it would be clearer to identify the changes as:
Because of the way rules are formatted, the add/delete ends up looking like multiple changes. This means that you need to pay very close attention to the order of changes being presented in the output.
Beyond that, the Halo implementation of detecting Windows firewall rule changes is identical to its Linux counterpart. You can define Special Events Policies that detect firewall changes, apply them to your groups of Windows servers and even receive real time alerts via email.