πΌ Management Samenvatting
Log dropped packets in Windows Firewall Domain profile - visibility into BLOCKED traffic (attack detection: port scans, lateral movement attempts).
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
4u (tech: 2u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
Dropped packet logging = attack visibility: Firewall blocks: Port scans, lateral movement, exploit attempts, WITHOUT logging: Attacks invisible (attacker scans β firewall blocks β NO evidence), WITH logging: Attack attempts logged β SIEM (Microsoft Sentinel) β alerts, patterns, forensics. Use cases: Port scan: Attacker scans 445/SMB β firewall blocks + logs β alert: 'Port scan from 10.1.2.50', Lateral movement: Compromised workstation tries RDP to other PCs β blocked + logged β incident response.
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Log dropped packets: Policy: Log dropped packets: Yes (Enable logging), Log location: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log, Log format: Date, time, action (DROP), protocol, src-ip, dst-ip, src-port, dst-port, Export: To SIEM (Microsoft Sentinel) β automated alerts, correlation.
Vereisten
- Intune subscription
- Windows 10/11
- Log max size: 16MB+ (adequate retention)
- SIEM: Microsoft Sentinel (log forwarding)
Implementatie
Intune Settings Catalog: Windows Firewall β Domain Profile β Log dropped packets: Yes. Combined: Log max size 16MB, Export logs to Sentinel (Log Analytics agent). Alerts: Configure SIEM rules (port scan detection).
Compliance
CIS Windows Benchmark L1, BIO 12.04, ISO 27001 A.12.4.1.
Monitoring
Gebruik PowerShell-script enable-domain-network-firewall-enable-log-dropped-packets-is-set-to-yes-enable-logging-of-dropped-packets.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script enable-domain-network-firewall-enable-log-dropped-packets-is-set-to-yes-enable-logging-of-dropped-packets.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Firewall logging (L1) -
- BIO: 12.04.01 -
- ISO 27001:2022: A.12.4.1 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Windows Firewall: Domain Log Dropped Packets
.DESCRIPTION
CIS - Firewall moet dropped packets loggen voor security monitoring.
.NOTES
Filename: firewall-domain-log-dropped.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Domain Profile LogDroppedPackets|Expected: True
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $Profile = "Domain"; $ExpectedValue = $true
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "firewall-domain-log-dropped.ps1"; PolicyName = "Firewall Domain Log Dropped"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogBlocked False }
try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.LogBlocked; if ($fw.LogBlocked -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Dropped packets logging enabled" }else { $r.Details += "Dropped packets logging: $($fw.LogBlocked)" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -LogBlocked True; Write-Host "Domain dropped packets logging enabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogBlocked False }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: No dropped packet logging = blind to attacks (port scans, lateral movement invisible).
Management Samenvatting
Enable Windows Firewall dropped packet logging. Attack visibility (port scans, lateral movement). Export to SIEM. Implementatie: 2-4 uur.
- Implementatietijd: 4 uur
- FTE required: 0.02 FTE