search

cyberark / CYBRHardeningCheck

A utility to check CyberArk component servers hardening status
GNU General Public License v3.0
53 stars 25 forks source link

Windows Firewall hardening check with the external template files #85

Open ediulia opened 2 years ago

ediulia commented 2 years ago

User Story

Some customers due to the multiple Vault Firewall rules are managing the Vault firewall rules outside the DBParm.ini Each editing, adding, or removing new Non-Standard Firewall rule requires Vault restart Setting the complicated Firewall rules in DBParm.ini can cause the Vault startup failure due to the human syntax errors in the parameter configuration

The solution is to maintain the Vault Windows Firewall externally and to disable Vault warning: "ITATS319W Firewall contains external rules"

CyberArk Vault Hardening check has to support the scenario, there are no Firewall rules configured in DBParm.ini And to be able to validate the Vault Windows Firewall configuration with the Firewall template file provided as an input parameter to main.ps1 script

Test Scenarios

IF (-ExternalFWConfigurationTemplatePath )

Get all Windws Firewall rules list FOREACH (WindowsFWRule in Windows Firewall rules list)

   IF (ExternalFWConfigurationTemplate -notcontains WindowsFWRule )
   ADD warning to the warning list

READ ExternalFWConfigurationTemplate FOREACH (WindowsFirewallTemlateRule in ExternalFWConfigurationTemplate ) IF (Windws Firewall rules list -notcontains WindowsFirewallTemlateRule ) ADD warning to the warning list ELSE Compare the Windows Firewall configuration with the DBParm.ini (Existing solution)

Implementation

Notes

Implementation Tasks

The following issues have been created to implement this user story:

AssafMiron commented 2 years ago

Hi @ediulia ,

Just to set the right expectations, this is an external hardening tool and cannot change the Vault behavior So the warning of "ITATS319W Firewall contains external rules" will still exist regarding the solution, I was thinking adding a parameter to the Vault hardening XML file that will have the path of the template file and complete it within the same FW function check

would you be able to share a same template? Is this template something that you are using in order to import these settings to the Windows Firewall?

Thanks, Assaf

ediulia commented 2 years ago

Hey @AssafMiron. About the ITATS319W warning. we are aware of the Vault behavior. And this warning can be suppressed by changing the dbparm.ini parameter MonitorFWRulesInterval to -1 Adding the file template parameter to the Vault hardening XML can be great, but will require updating the hardening tool. Right now we are checking the options which template can be the best for Firewall management. I will keep you posted once we have it For now. The firewall is hardened by the different script and not CyberArk hardening utility

Thanks Edi

AssafMiron commented 2 years ago

Thanks @ediulia Again, just to set expectations, I am talking only on changing this tool (for checking and reporting) and not changing any CyberArk hardening tools. So I think we can assume that your firewall rules would be applied using an external script and not using any CyberArk hardening tool. You might want to use New-NetFirewallRule command https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps

Then the input object might even be a CSV file with the relevant parameters

ediulia commented 2 years ago

@AssafMiron Yes. CSV is the option. We also checking the option working with Firewall-Manager PS module.

Thanks Edi