Best practices: MS Security baselines with WithSecure firewall?

We're using the MS Security Baseline GPOs, which enable the Windows Firewall, blocking all incoming connections, and allowing all outgoing connections. With these settings, the "Isolate a device" function in WithSecure doesn't work because it cannot overrule the GPO rules, which means that the outbound connections are not blocked by WithSecure.

I then tried creating a second GPO to override de Baseline GPO, which also blocks all outbound connections. Besides that, I added a rule to the WithSecure firewall profile to allow all outbound connections. This seems to work fine. Putting a test-pc in isolation indeed blocks all traffic, and I see a couple of outbound WithSecure firewall rules to allow it to communicate to it's servers.

However, after putting the host in isolation and releasing it a couple of times, it got stuck in isolation, and I was unable to release it. Even though all the same outbound rules were created, no outbound connections could be made by the client. This is a situation that I don't want to be in in production of course.

During the tests, I disabled the "allow other rules" at some point, maybe that was a bad idea.

Anyway, I am curious about the correct way to set these things up. We can't be the only company that uses these MS Security Baselines combined with the WithSecure firewall? The documentation on the WithSecure site way too limited ...



  • Sethu Laks
    Sethu Laks Posts: 751 Moderator

    Hi @bmaster

    Do ensure your firewall is controlled by WithSecure and not by MS Security Baseline GPO.

    When you isolate the host, the WithSecure Elements Agent has to disable all the firewall rules and only keep the ones active's that are required for the endpoint to communicate with the portal or with the WithSecure Cloud. 

    Once it's controlled by WithSecure, the isolation feature will work as expected. 

    Also, there could be chances some of the WithSecure URLs are fully not reachable and that's why there is a delay. 

    We will suggest you ensure that the below URL's are fully whitelisted in your network/firewall/router.

  • bmaster
    bmaster Posts: 6 New Member

    Does this mean that I have to change the actual MS Security baselines (which is totally not recommended by MS)? You can't "remove" settings from one GPO from within another GPO, you can only give a new value for these settings, like what I did with the blocking of the outbound connections.

  • James Chang
    James Chang Posts: 422 Moderator

    Hi @bmaster ,

    'WithSecure Firewall' does not exist anymore. It is just a plugin that allows to manage the Windows Firewall from Portal/Policy Manager.

    There should not be two managers for one Firewall.

    Either you control it with GPO, or with WithSecure, otherwise it is bound to run into conflicts (and GPO will be prioritized every time).

    We do not see the issue with your configuration (other than that allowing all outbound connection is definitely not the same as isolation);

    • You can manage Firewall with GPO for enable/disable different connection
    • Default WithSecure rules for WithSecure backends will be added in any case
    • Custom rules can be added either by GPO or by WithSecure plugin (not both, never both)
    • and if you need to disable 'Allow other rules', we recommend to look into 'Always all these rules/group of rules' table on Elements Portal (this should be available in Policy Manager 16.00) , to ensure that you have all the necessary rules/groups enabled even if all non-WithSecure rules are being disabled (like Network discovery group of rules, or something along these lines)

    If you have some particular issue with isolating-releasing-isolating, we will need to investigate the logs.

  • bmaster
    bmaster Posts: 6 New Member

    I think you don't fully understand what I'm trying to describe, or I am overthinking this :-)

    The MS Baseline GPO's are supplied by Microsoft, and are not to be changed. If there's a setting in there that you want different, then you make a new GPO that "overwrites" this setting.

    In these baselines, the firewall is turned ON, allowing all outbound traffing and blocking inbound traffic.

    Problem 1: This means that WithSecure can't put the host completely in isolation mode, because the allowed outbound traffic set by the GPO will always have priority, as you say.

    My idea to solve this problem 1 was to make a second GPO that blocks outbound traffic, since I cannot remove the "allow outbound" from the first (baseline) GPO. But that seems to be risky: WithSecure cannot allow the necessary outbound traffic because the GPO has priority.

    Problem/question 2: you say I can add rules with GPO or by WithSecure, but when I add them by GPO (for example: I want to allow inbound SMB traffic), then WithSecure will not block inbound SMB when in isolation mode?

    So, conclusion: the only way to get around this, is to modify the MS Baseline GPOs, and set the "allow outbound" and "block inbound" settings to "not configured", so that they can be managed by WithSecure..

  • James Chang
    James Chang Posts: 422 Moderator


    I will check with our product team and get back to you about this.

  • bmaster
    bmaster Posts: 6 New Member

    Any news from the product team about this?

  • James Chang
    James Chang Posts: 422 Moderator


    In general: if you are using GPO, you should not be using our Firewall capabilities.

    Reason - Because GPO will always be prioritised & you might feel the performance impact of two conflicting managements.

    Regarding your question about network isolation:

    During network isolation, we disable allow rules and set 'block' to both inbound/outbound unknown connections (with some necessary exclusion like our backends to allow releasing the host from isolation in the future and some core networking components like DNS).

    Since, in your case the Firewall is managed by GPO (MS Baseline), we indeed won't be able to do so - we can't set 'block' to unknown outbound connections and can't disable the rule that are added by GPO.

    It would effectively mean that the isolation doesn't work - this is the network isolation limitation due to MS FW usage.

    If you make a GPO override with 'not configured' for the inbound/outbound connections and without your own FW rules conflicting with ours - our isolation will be working again; However, what is the reason of using MS Baseline GPO if you override it with 'Not defined' ?

  • bmaster
    bmaster Posts: 6 New Member

    The MS Baseline GPO's contain loads of settings for client pc's, the firewall settings are just a small part of it. Creating a GPO with the firewall settings as "not configured" won't change a thing, because all settings in an empty GPO are "not configured". You can only set newer values in an overriding GPO, but that means that I have to either allow or block all in/outgoing connections.

    If we want to use the WithSecure isolation mode, we must either stop using the baseline GPOs, or I have to modify the MS Baseline GPOs and remove the firewall settings (setting them to 'not configured'). MS releases new baselines for each Windows version, so every time I import new baselines, I will have to remember to remove those settings again.

    I understand that WithSecure can't do anything about this, I just wonder how other companies manage this. We can't be the only ones that use these baselines?

  • MikaArasola
    MikaArasola Posts: 58 WithSecure Employee

    Since outbound rules are allowed by default, do you need to separately allow them from the group policy? The current isolation functionality uses the firewall, and as such this causes a conflict. Have you tested using the same ruleset without this single entry?

    In our managed solution we have an alternative method for isolation which is not dependent on the firewall. This alternative method has some downsides since you can't use the endpoint protection profiles to configure separate rules for isolation (since it's not using the firewall). Also it does not show the end user any dialogues, or have any visibility inside the device views. We do have an ongoing track to evaluate the possibility of moving EDR isolation to use this mechanism but it's not something that could happen quickly.

    We are also looking into the possibility to allow profile assignment rules based on criteria such as open critical detections on EDR side. While this would not solve the isolation issue it would give more fine grained control over the devices settings while detections are being investigated.

  • bmaster
    bmaster Posts: 6 New Member

    I didn't choose to allow the outbound connections, it's like that in the MS Security Baseline GPOs (see screenshot, and: [https:]//

    So, the only way for me to change this, is to change these baseline GPO's (not recommended because with every new release I need to remember to change that as well).

  • MikaArasola
    MikaArasola Posts: 58 WithSecure Employee

    I'm discussing this with our developers, I'll post back once I get a better picture on this and what the solution could be.