Best practices: MS Security baselines with WithSecure firewall?

We're using the MS Security Baseline GPOs, which enable the Windows Firewall, blocking all incoming connections, and allowing all outgoing connections. With these settings, the "Isolate a device" function in WithSecure doesn't work because it cannot overrule the GPO rules, which means that the outbound connections are not blocked by WithSecure.

I then tried creating a second GPO to override de Baseline GPO, which also blocks all outbound connections. Besides that, I added a rule to the WithSecure firewall profile to allow all outbound connections. This seems to work fine. Putting a test-pc in isolation indeed blocks all traffic, and I see a couple of outbound WithSecure firewall rules to allow it to communicate to it's servers.

However, after putting the host in isolation and releasing it a couple of times, it got stuck in isolation, and I was unable to release it. Even though all the same outbound rules were created, no outbound connections could be made by the client. This is a situation that I don't want to be in in production of course.

During the tests, I disabled the "allow other rules" at some point, maybe that was a bad idea.

Anyway, I am curious about the correct way to set these things up. We can't be the only company that uses these MS Security Baselines combined with the WithSecure firewall? The documentation on the WithSecure site way too limited ...

Thanks!

Answers

  • Sethu Laks
    Sethu Laks Posts: 125 Moderator

    Hi @bmaster

    Do ensure your firewall is controlled by WithSecure and not by MS Security Baseline GPO.

    When you isolate the host, the WithSecure Elements Agent has to disable all the firewall rules and only keep the ones active's that are required for the endpoint to communicate with the portal or with the WithSecure Cloud. 

    Once it's controlled by WithSecure, the isolation feature will work as expected. 

    Also, there could be chances some of the WithSecure URLs are fully not reachable and that's why there is a delay. 

    We will suggest you ensure that the below URL's are fully whitelisted in your network/firewall/router. 

    https://community.f-secure.com/common-business-en/kb/articles/5529-url-addresses-for-f-secure-update-services

  • bmaster
    bmaster Posts: 11 Observer

    Does this mean that I have to change the actual MS Security baselines (which is totally not recommended by MS)? You can't "remove" settings from one GPO from within another GPO, you can only give a new value for these settings, like what I did with the blocking of the outbound connections.

  • JamesC
    JamesC Posts: 458 Moderator

    Hi @bmaster ,

    'WithSecure Firewall' does not exist anymore. It is just a plugin that allows to manage the Windows Firewall from Portal/Policy Manager.


    There should not be two managers for one Firewall.


    Either you control it with GPO, or with WithSecure, otherwise it is bound to run into conflicts (and GPO will be prioritized every time).


    We do not see the issue with your configuration (other than that allowing all outbound connection is definitely not the same as isolation);

    • You can manage Firewall with GPO for enable/disable different connection
    • Default WithSecure rules for WithSecure backends will be added in any case
    • Custom rules can be added either by GPO or by WithSecure plugin (not both, never both)
    • and if you need to disable 'Allow other rules', we recommend to look into 'Always all these rules/group of rules' table on Elements Portal (this should be available in Policy Manager 16.00) , to ensure that you have all the necessary rules/groups enabled even if all non-WithSecure rules are being disabled (like Network discovery group of rules, or something along these lines)


    If you have some particular issue with isolating-releasing-isolating, we will need to investigate the logs.

  • bmaster
    bmaster Posts: 11 Observer

    I think you don't fully understand what I'm trying to describe, or I am overthinking this :-)

    The MS Baseline GPO's are supplied by Microsoft, and are not to be changed. If there's a setting in there that you want different, then you make a new GPO that "overwrites" this setting.

    In these baselines, the firewall is turned ON, allowing all outbound traffing and blocking inbound traffic.

    Problem 1: This means that WithSecure can't put the host completely in isolation mode, because the allowed outbound traffic set by the GPO will always have priority, as you say.

    My idea to solve this problem 1 was to make a second GPO that blocks outbound traffic, since I cannot remove the "allow outbound" from the first (baseline) GPO. But that seems to be risky: WithSecure cannot allow the necessary outbound traffic because the GPO has priority.

    Problem/question 2: you say I can add rules with GPO or by WithSecure, but when I add them by GPO (for example: I want to allow inbound SMB traffic), then WithSecure will not block inbound SMB when in isolation mode?

    So, conclusion: the only way to get around this, is to modify the MS Baseline GPOs, and set the "allow outbound" and "block inbound" settings to "not configured", so that they can be managed by WithSecure..

  • JamesC
    JamesC Posts: 458 Moderator

    Hi,

    I will check with our product team and get back to you about this.

  • bmaster
    bmaster Posts: 11 Observer

    Any news from the product team about this?

  • JamesC
    JamesC Posts: 458 Moderator

    Hi,

    In general: if you are using GPO, you should not be using our Firewall capabilities.

    Reason - Because GPO will always be prioritised & you might feel the performance impact of two conflicting managements.

    Regarding your question about network isolation:

    During network isolation, we disable allow rules and set 'block' to both inbound/outbound unknown connections (with some necessary exclusion like our backends to allow releasing the host from isolation in the future and some core networking components like DNS).

    Since, in your case the Firewall is managed by GPO (MS Baseline), we indeed won't be able to do so - we can't set 'block' to unknown outbound connections and can't disable the rule that are added by GPO.

    It would effectively mean that the isolation doesn't work - this is the network isolation limitation due to MS FW usage.

    If you make a GPO override with 'not configured' for the inbound/outbound connections and without your own FW rules conflicting with ours - our isolation will be working again; However, what is the reason of using MS Baseline GPO if you override it with 'Not defined' ?

  • bmaster
    bmaster Posts: 11 Observer

    The MS Baseline GPO's contain loads of settings for client pc's, the firewall settings are just a small part of it. Creating a GPO with the firewall settings as "not configured" won't change a thing, because all settings in an empty GPO are "not configured". You can only set newer values in an overriding GPO, but that means that I have to either allow or block all in/outgoing connections.

    If we want to use the WithSecure isolation mode, we must either stop using the baseline GPOs, or I have to modify the MS Baseline GPOs and remove the firewall settings (setting them to 'not configured'). MS releases new baselines for each Windows version, so every time I import new baselines, I will have to remember to remove those settings again.

    I understand that WithSecure can't do anything about this, I just wonder how other companies manage this. We can't be the only ones that use these baselines?

  • MikaArasola
    MikaArasola Posts: 63 WithSecure Product Manager

    Since outbound rules are allowed by default, do you need to separately allow them from the group policy? The current isolation functionality uses the firewall, and as such this causes a conflict. Have you tested using the same ruleset without this single entry?

    In our managed solution we have an alternative method for isolation which is not dependent on the firewall. This alternative method has some downsides since you can't use the endpoint protection profiles to configure separate rules for isolation (since it's not using the firewall). Also it does not show the end user any dialogues, or have any visibility inside the device views. We do have an ongoing track to evaluate the possibility of moving EDR isolation to use this mechanism but it's not something that could happen quickly.

    We are also looking into the possibility to allow profile assignment rules based on criteria such as open critical detections on EDR side. While this would not solve the isolation issue it would give more fine grained control over the devices settings while detections are being investigated.

  • bmaster
    bmaster Posts: 11 Observer

    I didn't choose to allow the outbound connections, it's like that in the MS Security Baseline GPOs (see screenshot, and: [https:]//learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)

    So, the only way for me to change this, is to change these baseline GPO's (not recommended because with every new release I need to remember to change that as well).


  • MikaArasola
    MikaArasola Posts: 63 WithSecure Product Manager

    I'm discussing this with our developers, I'll post back once I get a better picture on this and what the solution could be.

  • bmaster
    bmaster Posts: 11 Observer

    Any update on this?

  • MikaArasola
    MikaArasola Posts: 63 WithSecure Product Manager
    edited May 2

    Sorry it has taken so long to come back to this. Our developers are investigating alternative ways to perform isolation where the firewall is not used. Apart from your use case it would also solve the issue where the firewall is completely disabled preventing isolation.

    Since this is not a small change it will take time, but we are committed to getting it done. If you want to be kept up to date on progress (or at least notified when it happens) I would suggest adding an idea about this in https://ideas.withsecure.com, or alternatively there will be communications when it's completed. I do expect this will take several months though.

  • bmaster
    bmaster Posts: 11 Observer

    Thanks. I created an idea for this (and referenced to this discussion): https://ideas.withsecure.com/ideas/WSPUB-I-590

  • bmaster
    bmaster Posts: 11 Observer

    I have not (as a test) altered the Baseline GPO's so that they look like this (for domain, public and private profiles):

    Then I rebooted the test-computer to make sure it has these settings.

    After that, I enabled the WithSecure firewall (Firewall mode: Turn on WithSecure Firewall). In the firewall profile I disabled "Allow unknown outbound connections", and made sure that there are two rules to allow all outbound TCP/UDP traffic.

    After rebooting the test-computer again, it wasn't able to detect that it is running in domain mode, and after a long logon process, no outbound connections were possible at all. In the windows firewall settings, I see that all outbound connections are blocked (but not forced from GPO, so it must be WithSecure that made that setting). In the outbound rules, I see the two "allow all outbound tcp/udp traffic" rules, enabled and well, but they don't seem to work.

    Something is not working as it should, even when I try to follow the documentation and don't use GPOs to set firewall policies…

    (PS: How I fixed this… altering the WithSecure policy was no help, because the client could not get an update. So I added a new GPO that allows all outbound traffic. Running gpupdate didn't work for the same reason. But then I found a command that I could run on the commandline to allow the outbound connections… so I made a batch file that runs that command, followed by a gpupdate, and that seems to work because gpupdate ran sooner than Withsecure was able to block outbound traffic again!)