Closed FLeven closed 1 year ago
0x6d69636b
commented
1 year ago I noticed during testing that the values are sometimes different, so I am doing a double check. This may happen if the settings were changed via GUI before group policies were applied. Depending on whether local settings are taken over/merged, this could have an influence. I have not yet tested how it is under Windows 11. Better safe than sorry ;-)
FLeven
commented
1 year ago ok, but we are not able to see if we are 100% compliant anymore, which is not a good thing. Maybe create a test list for yourself, the lists should never include anything else then the original baselines we are testing against.
0x6d69636b
commented
1 year ago Okay, I hear you. But that would not only affect the Windows Firewall config but also ASR (Registry and MPPreference Check) and Services (for CIS benchmarks), is this an issue as well?
I have added the checks to detect a potential discrepancy which in my eyes offers added value to a " simple" compliance check.
For which use cases exactly do you use HardeningKitty and how did you come across the issue?
FLeven
commented
1 year ago HardeningKitty is my replacement for the .... ms policy analyzer, I deploy all the important Microsoft product baselines to my domains and check with HardeningKitty if they stay in there original state.
Then, I decide if I will implement more strict policys, like BSI, CIS, dod etc.
Extra checks are a good idea, but I would prefer them to be separated, from the official ones. As this tools is for compliance/security checks, the confusion of what is in each of the lists/checks should be kept to a minimum. If the description reads "ms win11 22h1 machine", it should contain onlz the corresponding policy settings version 22h1 from the ms download. I also believe there are more people that need a replacement for the policy analyzer, because it might be deprecated already and has problems on non US lang OS. I also mentioned HardeningKitty on the policy analyzer forum,.
Next would be to do some lists for any custom policys that have to be implemented and maybe add Citrix: https://www.citrix.com/about/legal/security-compliance/common-criteria.html
FLeven
commented
1 year ago All other settings are fine, besides the one I reported in other issues. Firewall has 12 items notset/conflicting.
0x6d69636b
commented
1 year ago Don't worry, I haven't forgotten about the issue. I have a lot to do at the moment and would like to test the firewall history properly (do local settings have an effect or does the GPO always take effect). I will be back
FLeven
commented
1 year ago No hurry, I disable local FW rules entirely, then you can only set FW rules by GPs. This way, I am 100% sure my settings always win and not even local admins can add rules or overwrite anything.
0x6d69636b
commented
1 year ago I removed the local Windows Firewall settings in the Microsoft Security Baseline lists in the development repo and it will be updated here in the next update.
Why are the settings in the registry path: HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
also checked ? For a compliance check SOFTWARE\Policies\Microsoft\WindowsFirewall should be enough?