Vulnarex | Elite Cybersecurity Learning Platform

#A Firewall Rule for 'Any' Protocol Is a Welcome Mat for Attackers#link

Windows Defender Firewall with Advanced Security (WFAS) is a stateful host firewall that can block by application, port, IP, and even user identity. Most organizations leave it in default mode, missing out on outbound filtering and per-app isolation. This lesson transforms you from a basic 'allow port 443' admin into an expert who builds layered, identity-aware firewall rules that contain breaches.

Inbound Rules: Zero Trust for Network Connections

The default inbound policy should be Block for all profiles. Then, create allow rules for only necessary services, bound to specific remote IPs or subnets where possible. For example, allow RDP (3389) only from your management jump host's IP. Using the 'Edge traversal' option can inadvertently expose the service to the internet; leave it at 'Defer to application' or 'Block edge traversal' unless you explicitly need Teredo connectivity.

Create an inbound rule allowing RDP from a specific IP

root@vulnarex:~#netsh advfirewall firewall add rule name="RDP from Bastion" dir=in action=allow protocol=TCP localport=3389 remoteip=192.168.10.5

This netsh command restricts RDP to a single management host. For production, use PowerShell's New-NetFirewallRule for programmatic deployment.

powershell

# Equivalent PowerShell with more options
New-NetFirewallRule -DisplayName "RDP Bastion" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.10.5 -Action Allow -Profile Domain,Private

Outbound Filtering: Stopping C2 Communications

Most hosts don't restrict outbound traffic, allowing malware to phone home freely. WFAS can create outbound block rules that only permit specific applications and ports. Set the default outbound policy to Block, then allow DNS, HTTP/HTTPS for browsers and critical services, and NTP. This drastically reduces the chance of reverse shells. Use service SID restrictions to allow only the Windows Update service, for example.

info

💡 Enable the firewall log (pfirewall.log) to track blocked outbound attempts. A spike in blocked outbound connections to unknown IPs is a strong indicator of compromise.

Rule Type	Purpose	Example
Application-based	Allow only signed exe	C:\Program Files\Mozilla Firefox\firefox.exe
Service-based	Restrict to service SID	NT SERVICE\mpssvc for firewall service itself
User-based	Allow only certain AD user	DOMAIN\JohnDoe (requires auth IPsec)
Port + IP	Classic layer 4	TCP 1433 from subnet 10.0.0.0/24

Connection Security Rules and IPsec Isolation

WFAS supports IPsec rules for server-to-server encryption and domain isolation. You can require that all connections from certain subnets are authenticated and encrypted. This prevents lateral movement from unmanaged devices. Setting up a connection security rule with 'Require authentication for inbound and outbound' creates a zero-trust microsegment within the network.

▪Set default inbound and outbound policies to Block; allow only necessary traffic.
▪Scoped allow rules to specific remote IPs or subnets using remoteip parameter.
▪Enable firewall logging and analyze blocked connections for anomalies.
▪Deploy IPsec connection security rules for high-value server isolation.

STRICT SECURE AUDIT RULE

⚠️ A single overly permissive outbound rule like 'Allow all outbound for svchost.exe' can be exploited by any malware running as a service. Always combine application rules with port restrictions.

quiz BLOCK (★ 50 XP)

What's the most effective way to prevent a compromised web server from connecting to an attacker's C2?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Outbound Firewall Lockdown