L1 BIO 13.01.02 ISO A.13.1.1 CIS Windows - Firewall policy merge

Intune: Windows Firewall Public - Block Local Firewall Rule Merge

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Block local firewall rule merge on Public profile - prevents local admins/malware from adding firewall exceptions (centralized control ONLY).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Local policy merge = security bypass: Merge enabled: Centralized rules (Intune) + local rules (admin-created) = BOTH apply, Attack: Local admin creates allow rule β†’ bypasses centralized policy, Malware with admin: Adds firewall exception β†’ C2 communication allowed. Public profile: STRICTEST (public WiFi = hostile), Block merge: ONLY Intune rules apply (local rules IGNORED), Defense: Tamper-proof firewall (malware cannot weaken).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Block policy merge: Policy: Allow local firewall rule merge: False, Effect: Local firewall rules IGNORED (netsh advfirewall rules NOT applied), Intune rules: ONLY source of firewall policy, Public WiFi: Maximum protection (no local weakening possible).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Centralized firewall management (all rules via Intune)

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Public Profile β†’ Allow local policy merge: False (block local rules). Effect: Intune firewall rules ONLY.

Compliance

CIS Windows Benchmark L1, Microsoft Security Baseline, BIO 13.01, ISO 27001 A.13.1.1.

Monitoring

Gebruik PowerShell-script enable-public-network-firewall-allow-local-policy-merge-is-set-to-false.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-public-network-firewall-allow-local-policy-merge-is-set-to-false.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Public Block Local Policy Merge .DESCRIPTION CIS - Public profile moet local policy merge blokkeren. .NOTES Filename: firewall-public-policy-merge.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Public AllowLocalFirewallRules|Expected: False #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Public"; $ExpectedValue = $false function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-public-policy-merge.ps1"; PolicyName = "Firewall Public Policy Merge"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "False"; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -AllowLocalFirewallRules True } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.AllowLocalFirewallRules; if ($fw.AllowLocalFirewallRules -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Policy merge blocked" }else { $r.Details += "Policy merge: $($fw.AllowLocalFirewallRules)" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -AllowLocalFirewallRules False; Write-Host "Public policy merge blocked" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -AllowLocalFirewallRules True } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Local policy merge = admins/malware can weaken public firewall (bypass protection).

Management Samenvatting

Block local firewall rule merge (Public profile). Centralized Intune control ONLY. Malware cannot add exceptions. Implementatie: 1-2 uur.