L1 BIO 12.04.01 ISO A.12.4.1 CIS Windows - Firewall log size

Intune: Windows Firewall Domain Log Size (16MB+)

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Windows Firewall Domain log max size = 16MB+ (CIS: 16384 KB minimum) - adequate retention voor incident investigation.

Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
3/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Firewall log size = retention capacity: Small log (4MB default): Busy network β†’ log rotates hourly β†’ incident evidence overwritten, Large log (16MB+): Days/weeks retention β†’ sufficient voor forensics. Investigation scenario: Security incident detected β†’ need firewall logs from 3 days ago β†’ if log = 4MB: overwritten (evidence lost), if log = 16MB: retained (investigation succeeds). CIS recommendation: 16MB minimum (balance: retention vs disk space).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Log size configuration: 16MB (16384 KB): Adequate retention (high-traffic networks), Rotation: When full β†’ oldest entries overwritten (circular buffer), Location: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log, Export: To SIEM (Microsoft Sentinel) voor long-term retention (7 jaar).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Firewall logging enabled (separate setting)

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Domain Profile β†’ Log Max File Size: 16384 KB. Combined: Enable logging (dropped packets + successful connections).

Compliance

CIS Windows Benchmark L1 (16MB), BIO 12.04, ISO 27001 A.12.4.1.

Monitoring

Gebruik PowerShell-script enable-domain-network-firewall-log-max-file-size-is-set-to-16-384-kb-or-greater.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-domain-network-firewall-log-max-file-size-is-set-to-16-384-kb-or-greater.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Domain Log Max File Size .DESCRIPTION CIS - Firewall log max size moet 16384 KB of groter. .NOTES Filename: firewall-domain-log-size.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Domain Profile LogMaxFileSize|Expected: 16384 KB #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Domain"; $MinSize = 16384 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-domain-log-size.ps1"; PolicyName = "Firewall Domain Log Size"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "$MinSize KB+"; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogMaxSizeKilobytes 4096 } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = "$($fw.LogMaxSizeKilobytes) KB"; if ($fw.LogMaxSizeKilobytes -ge $MinSize) { $r.IsCompliant = $true; $r.Details += "Log size: $($fw.LogMaxSizeKilobytes) KB" }else { $r.Details += "Log size te klein: $($fw.LogMaxSizeKilobytes) KB" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -LogMaxSizeKilobytes $MinSize; Write-Host "Domain log size: $MinSize KB" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogMaxSizeKilobytes 4096 } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: Small log = incident evidence overwritten (forensics impossible).

Management Samenvatting

Firewall Domain log size: 16MB+ (CIS minimum). Adequate retention. Export to SIEM. Implementatie: 1-2 uur.