Comments (8)
No hurry, I disable local FW rules entirely, then you can only set FW rules by GPs. This way, I am 100% sure my settings always win and not even local admins can add rules or overwrite anything.
from hardeningkitty.
I removed the local Windows Firewall settings in the Microsoft Security Baseline lists in the development repo and it will be updated here in the next update.
from hardeningkitty.
I noticed during testing that the values are sometimes different, so I am doing a double check. This may happen if the settings were changed via GUI before group policies were applied. Depending on whether local settings are taken over/merged, this could have an influence. I have not yet tested how it is under Windows 11. Better safe than sorry ;-)
from hardeningkitty.
ok, but we are not able to see if we are 100% compliant anymore, which is not a good thing. Maybe create a test list for yourself, the lists should never include anything else then the original baselines we are testing against.
from hardeningkitty.
Okay, I hear you. But that would not only affect the Windows Firewall config but also ASR (Registry and MPPreference Check) and Services (for CIS benchmarks), is this an issue as well?
I have added the checks to detect a potential discrepancy which in my eyes offers added value to a " simple" compliance check.
For which use cases exactly do you use HardeningKitty and how did you come across the issue?
from hardeningkitty.
HardeningKitty is my replacement for the .... ms policy analyzer, I deploy all the important Microsoft product baselines to my domains and check with HardeningKitty if they stay in there original state.
Then, I decide if I will implement more strict policys, like BSI, CIS, dod etc.
Extra checks are a good idea, but I would prefer them to be separated, from the official ones. As this tools is for compliance/security checks, the confusion of what is in each of the lists/checks should be kept to a minimum. If the description reads "ms win11 22h1 machine", it should contain onlz the corresponding policy settings version 22h1 from the ms download.
I also believe there are more people that need a replacement for the policy analyzer, because it might be deprecated already and has problems on non US lang OS. I also mentioned HardeningKitty on the policy analyzer forum,.
Next would be to do some lists for any custom policys that have to be implemented and maybe add Citrix:
https://www.citrix.com/about/legal/security-compliance/common-criteria.html
from hardeningkitty.
All other settings are fine, besides the one I reported in other issues. Firewall has 12 items notset/conflicting.
from hardeningkitty.
Don't worry, I haven't forgotten about the issue. I have a lot to do at the moment and would like to test the firewall history properly (do local settings have an effect or does the GPO always take effect). I will be back
from hardeningkitty.
Related Issues (20)
- "Window Manager\Window Manager Group" SID not shown in Result HOT 1
- Wrong default value for AlwaysInstallElevated HOT 1
- Potentially outdated default value for RestrictDriverInstallationToAdministrators HOT 1
- Category Microsoft Edge ID 10952, 10953 HOT 9
- XblGameSave Standby Task, 11060 HOT 4
- Automatic creation of finding lists HOT 1
- The finding list was not found HOT 1
- CIS 22H2 list availability HOT 2
- Which rules from finding_list_0x6d69636b_machine.csv affect RDP? HOT 1
- Mishandling of "Never minutes" in Account Lockout Duration checks HOT 5
- Which rules from finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine affect RDP? HOT 13
- Requires Admin Privilege HOT 1
- unauthenticated guest access HOT 3
- finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv - ID 2.3.10.9, Network access: Remotely accessible registry paths and sub-paths HOT 3
- Registry to Local Group Policy? HOT 1
- question HOT 17
- question about scripts HOT 3
- Incorrect Control ID in win10 Enterprise 22h2 189.7.1.5.1 HOT 1
- Lazy feature HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hardeningkitty.