Listen to this Post
The Windows Firewall is one of the most underrated defensive tools already available to you—costing nothing but time. Here are high-impact configurations to enhance security:
- ❌ Block SMB between workstations
- 🔒 Block WMI/WinRM where not needed
- 🖥️ Only allow RDP from management VLANs or jump boxes
- ✅ Only allow remote management from approved hosts/networks
You don’t need new tools—just effective use of existing ones.
You Should Know: Practical Firewall Configurations
1. Blocking SMB Between Workstations
SMB (Server Message Block) can be exploited for lateral movement. Block it with:
New-NetFirewallRule -DisplayName "Block SMB Workstations" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block -Profile Any New-NetFirewallRule -DisplayName "Block SMB Workstations Outbound" -Direction Outbound -Protocol TCP -LocalPort 445 -Action Block -Profile Any
2. Restricting WMI/WinRM Access
Prevent unauthorized remote execution:
Block WMI (Ports 135, 49152-65535) New-NetFirewallRule -DisplayName "Block WMI" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Block New-NetFirewallRule -DisplayName "Block Dynamic WMI Ports" -Direction Inbound -Protocol TCP -LocalPort 49152-65535 -Action Block Block WinRM (Port 5985/5986) New-NetFirewallRule -DisplayName "Block WinRM" -Direction Inbound -Protocol TCP -LocalPort 5985,5986 -Action Block
3. Restricting RDP Access
Allow RDP only from trusted IPs:
New-NetFirewallRule -DisplayName "Allow RDP from Management VLAN" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow -RemoteAddress 192.168.1.0/24
4. Limiting Remote Management
Permit only approved hosts for administrative tasks:
New-NetFirewallRule -DisplayName "Allow Remote Mgmt from Trusted Hosts" -Direction Inbound -Protocol TCP -LocalPort 135,445,5985 -Action Allow -RemoteAddress 10.0.0.5,10.0.0.10
What Undercode Say
Windows Firewall, when properly configured, is a powerful tool against lateral movement and unauthorized access. Key takeaways:
- Disable unnecessary services (SMB, WMI, WinRM) where possible.
- Use explicit allow rules instead of broad permissions.
- Log firewall activity for auditing:
Set-NetFirewallProfile -Profile Domain,Public,Private -LogAllowed True -LogBlocked True -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"
- Combine with GPOs for enterprise-wide enforcement.
- For Linux admins, analogous
iptables/ufwrules apply:sudo ufw deny from 192.168.1.0/24 to any port 445 sudo ufw allow from 10.0.0.5 to any port 22
Expected Output:
A hardened Windows Firewall configuration reducing attack surfaces while maintaining operational needs.
References:
Reported By: Spenceralessi The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
