14.x Firewall / “Ignore all Firewall rules not listed in this profile” Special

lwochos
lwochos W/ Alumni Posts: 3 Security Scout

Dear Community,
We sadly noticed, that version 14.x uses the Windows Firewall. In Version 13.x in our view the firewall worked much better.

 

In short, we only want to allow incoming traffic to the clients which we defined in Policy Manager. Any other incoming traffic should be blocked.
We set the option “Ignore all Firewall rules not listed in this profile” to true.
In normal circumstances this works.

 

But we found a problem with Dameware (this should be seen as a placeholder for similar applications).
When we connect through the allowed incoming rule to the client with "Dameware Mini Remote Control" the first time, DW installs an extra Firewall rule on the client.

 

The installed Firewall Rule allows incoming Traffic to the client from any destination to the application c:\windows\dwrcs\dwrcs.exe
This new rule is installed as an local GPO, so the option “Ignore all Firewall rules not listed in this profile” does not work and so the new rule is active.

 

Have you got an idea or solution to prevent this ?

Comments

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    Hi,

    I have not really understood what the "bad "effect is, that you do not want. Maybe a screenshot would help of what DW creates.

    Since you want DW incomming connectivity you can create such a rule in the profiles. Maybe DW does not create a rule if it already finds  that connection works without.

    You can likely not prevent DW to create a local GPO that would create a firewall rule. But that would be DW support to be asked.

    M.

  • lwochos
    lwochos W/ Alumni Posts: 3 Security Scout

    Hi Matthias,

    thanks for the quick reply.

     

    The problem is that we only want the defined FW rules set in PM to be active without any local added exeptions on the clients !

     

    Our simply 13.x firewall config looks like this:

    fw13.PNG

    Which is active on all Clients without any local execptions !

     

    If there is any Software installed on the client e.g. Dameware i can be sure, that only the rule set above works.  (In the Rule Set above there are already defined IP Adresses which are allowed to connect inbound to Dameware Service an the client.)

     

     

    In 14.x the similar config looks like this:

    fw14.PNG

     

    Dameware added this rule when the first inbound connection was established. In the F-Secure Firewall Config is already a Rule where the inbound connection is allowed from defined IP Adresses.

    So the new Rule is not needed and is not secure, because in the new rule any IP Adress in the same network could connect/exploit etc. the inbound connection to the dameware software.

     

    Dameware is only a placeholder for any Software where this local Firewall rule generation is happening.

     

    In my opinion we loose control over the incoming connections on the clients, when we have no way to solve that Problem.

     

    Greets

    Andre

     

     

     

     

     

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Hello Andre,

     

    Normally, the new rule should be disabled automatically in a very short time by our Firewall plugin. I've just verified with CS 14.02 that it takes less than 5 seconds to get the newly added rule disabled.

    If this doesn't work for you with the same CS version, please, contact support. We will need diagnostic information from affected machine for investigation.

     

    Best regards,

    Vad

     

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    @Vad 
    Only rules that are created locally via FW-UI will get disabled.
    Anything that get defined by GPO does not. it is technically impossible.

    So the question is how can we trick DW into not creating an own local GPO?

    or
    Is it possible to disable that rule from a global AD based GPO by Admin.

    either is a question I think only DW-support can answer.

    Nevertheless we need to keep that scenario in mind as there is more software around doing the same thing.

    So please forward this case to R&D Backlog.

    M.

  • lwochos
    lwochos W/ Alumni Posts: 3 Security Scout

    Thanks for your answers.

     

    I opened a new Ticket for this problem again.

     

    Greets

    Andre

This discussion has been closed.