L1 BIO 13.01.02 ISO A.13.1.1 CIS Windows - Firewall default deny

Intune: Windows Firewall Domain - Default Inbound Block

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Windows Firewall Domain: Default inbound action = BLOCK - whitelist approach (explicit allow rules ONLY).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
9/10
Implementatie
10u (tech: 5u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Default block = least privilege network: Whitelist: ONLY explicitly allowed inbound traffic (RDP from jump server, SMB from file server), Blacklist = BROKEN: Cannot predict all attack vectors β†’ always gaps. Zero Trust: Deny by default, allow explicitly. Attack prevention: Port scan β†’ all ports blocked (except explicit allows) β†’ attacker finds nothing, Lateral movement: Compromised system tries SMB/RDP β†’ blocked (unless whitelisted source).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Default inbound block: Policy: Default inbound action: Block (deny all), Allow rules: Configured per service (RDP from 10.1.1.5/32 jump server, SMB from 10.2.1.0/24 file servers), Default outbound: Allow (can be restricted for high-security), User impact: NONE (legitimate traffic via allow rules).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Domain firewall enabled
  4. Network architecture: Document legitimate traffic flows (for allow rules)

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Domain Profile β†’ Default Inbound Action: Block. Configure allow rules: Intune Firewall Rules β†’ Add rules for legitimate services (RDP, SMB, etc.) with source IP restrictions.

Compliance

CIS Windows Benchmark L1, Zero Trust, BIO 13.01, ISO 27001 A.13.1.1, NIST SC-7.

Monitoring

Gebruik PowerShell-script enable-domain-network-firewall-default-inbound-action-for-domain-profile-is-set-to-block.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-domain-network-firewall-default-inbound-action-for-domain-profile-is-set-to-block.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Domain Profile Inbound Block .DESCRIPTION CIS - Windows Firewall Domain profile moet inbound connections blokkeren by default. .NOTES Filename: firewall-domain-inbound-block.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Domain Profile DefaultInboundAction|Expected: Block #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Domain"; $ExpectedAction = "Block" function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-domain-inbound.ps1"; PolicyName = "Firewall Domain Inbound"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = $ExpectedAction; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -DefaultInboundAction Allow } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.DefaultInboundAction; if ($fw.DefaultInboundAction -eq $ExpectedAction) { $r.IsCompliant = $true; $r.Details += "Domain inbound: Block" }else { $r.Details += "Domain inbound: $($fw.DefaultInboundAction)" } }else { $r.Details += "Firewall profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -DefaultInboundAction Block; Write-Host "Domain profile inbound: Block" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -DefaultInboundAction Allow } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Default allow = over-permissive (lateral movement, port scans succeed).

Management Samenvatting

Firewall Domain: Default inbound BLOCK. Whitelist approach. Configure allow rules for legitimate traffic. Zero Trust. Implementatie: 5-10 uur.