Category Windows Firewall clarification about hardeningkitty HOT 8 CLOSED

No hurry, I disable local FW rules entirely, then you can only set FW rules by GPs. This way, I am 100% sure my settings always win and not even local admins can add rules or overwrite anything.

from hardeningkitty.

I removed the local Windows Firewall settings in the Microsoft Security Baseline lists in the development repo and it will be updated here in the next update.

from hardeningkitty.

I noticed during testing that the values are sometimes different, so I am doing a double check. This may happen if the settings were changed via GUI before group policies were applied. Depending on whether local settings are taken over/merged, this could have an influence. I have not yet tested how it is under Windows 11. Better safe than sorry ;-)

from hardeningkitty.

ok, but we are not able to see if we are 100% compliant anymore, which is not a good thing. Maybe create a test list for yourself, the lists should never include anything else then the original baselines we are testing against.

from hardeningkitty.

Okay, I hear you. But that would not only affect the Windows Firewall config but also ASR (Registry and MPPreference Check) and Services (for CIS benchmarks), is this an issue as well?

I have added the checks to detect a potential discrepancy which in my eyes offers added value to a " simple" compliance check.

For which use cases exactly do you use HardeningKitty and how did you come across the issue?

from hardeningkitty.

HardeningKitty is my replacement for the .... ms policy analyzer, I deploy all the important Microsoft product baselines to my domains and check with HardeningKitty if they stay in there original state.

Then, I decide if I will implement more strict policys, like BSI, CIS, dod etc.

Extra checks are a good idea, but I would prefer them to be separated, from the official ones. As this tools is for compliance/security checks, the confusion of what is in each of the lists/checks should be kept to a minimum. If the description reads "ms win11 22h1 machine", it should contain onlz the corresponding policy settings version 22h1 from the ms download.
I also believe there are more people that need a replacement for the policy analyzer, because it might be deprecated already and has problems on non US lang OS. I also mentioned HardeningKitty on the policy analyzer forum,.

Next would be to do some lists for any custom policys that have to be implemented and maybe add Citrix:
https://www.citrix.com/about/legal/security-compliance/common-criteria.html

from hardeningkitty.

All other settings are fine, besides the one I reported in other issues. Firewall has 12 items notset/conflicting.

from hardeningkitty.

Don't worry, I haven't forgotten about the issue. I have a lot to do at the moment and would like to test the firewall history properly (do local settings have an effect or does the GPO always take effect). I will be back

from hardeningkitty.