Chapter 6: Network Fundamentals for Hardening Windows – Mastering Windows Security and Hardening

Chapter 6: Network Fundamentals for Hardening Windows

In this chapter, we will cover the importance of networking for the overall security and hardening of your Windows systems. Network security has traditionally been at the heart of security for users over the years, but this has shifted recently. Network security hasn't become any less important, but with the shift to the cloud and the more we decentralize our users from traditional office space, the strategy for securing our users has needed to change. Our security strategies have needed to shift from a strong focus on network perimeter security to device-level and identity focused security. This is for the simple reason that devices are no longer sitting within your corporate office anymore; they travel everywhere and connect to any network they can find.

Even though the workforce has become more decentralized and services are moving to the cloud, there is still a need to maintain the same level of network security within your offices and on-premises data centers. In addition, you will need to implement more advanced security at the desktop level and adopt a strategy for the security of your virtual networks and cloud data center. With this comes complexity, and it's important to have the right tools and skillsets that support the strategic vision, deployment, and maintenance of your network tools and solutions.

Throughout this chapter, we will cover security fundamentals to raise awareness of the supporting network infrastructure for your Windows environment. We will then review some of the network security tools available, including the software-based Windows Defender Firewall and Advanced Security features. Finally, we will cover Azure network security solutions that protect and allow access to your Windows virtual machines. This chapter includes the following topics:

  • Network security fundamentals
  • Understanding Windows Network Security
  • Windows Defender Firewall and Advanced Security
  • Azure network security solutions for Windows VMs

Technical requirements

In order to complete the exercises in this chapter, we recommend the following requirements. For Windows Defender Exploit Guard Network Protection, the minimum requirements are as follows:

  • A Windows 2016 Active Directory domain with Group Policy
  • Domain Admin rights or equal permissions to create Group Policy objects for the scoped OU of the target systems
  • A Windows 10 Pro or Enterprise workstation domain-joined and/or Intune enrolled

To complete the Azure Security Center just-in-time exercise and Azure Bastion, you will need the following minimum requirements:

  • An Azure tenant with a virtual network, subnet, and resource group
  • An available IP range inside your virtual network that can accommodate a /27 CIDR
  • A Windows 10 or Server 1909 data center virtual machine with a public IP
  • Azure Security Center Standard (or a free 30-day trial)

Network security fundamentals

Networking can be a very challenging task for technology teams. Networks can be very sensitive and commonly take the blame for most outages, without people even knowing the true root cause of an issue. This is simply because most of our data traverses over a network, so it's critical that it performs optimally. If it doesn't, it can bring a business to its knees because of how dependent we have become on the network. In addition to the already challenging task of managing a network comes network security. Ensuring that the data we send/receive is secure, no perpetrators are accessing our network who shouldn't be, preventing traffic that isn't welcome, and ensuring confidential data is isolated are some of the challenges faced with network security.

As we mentioned previously, this shift in security is mainly due to the evolution of device access and cloud technologies that have forced us to change our strategies. Although this has shifted the core from a network security perimeter-focused strategy, network security has never been more important than it is today. Additional advanced security features are now required to secure and harden both the device and the cloud technologies used.

Before we review some of the core network security technologies, it's important that we review and cover the Open Systems Interconnection (OSI) and TCP/IP (also known as the internet protocol suite) models. These models have been built to allow an open standard/framework to be referenced. The OSI model is a framework that is used as more of a guideline that provides a standard for network communications. It provides a great reference that allows us to understand the flow of network traffic from one endpoint to the other and serves as a great troubleshooting tool for us to understand where any breakdowns or failures may be occurring. The TCP/IP model is comprised of open standard protocols for network communication and has become more adopted for use over the OSI model.

The following diagram provides a comparison of both the OSI model and TCP/IP model, along with examples of what falls within each of the layers. Understanding where communication is failing within the network will significantly help a security expert with any investigative and/or troubleshooting tasks:

Figure 6.1 – The OSI and TCP/IP models

In addition to being familiar with the OSI and TCP/IP models, knowing the more common ports is somewhat an expectation of any network or security professional. As you build out and architect your solutions and integrate your technologies, knowing which ports are used by which protocols allows more intelligent decisions so that you can provide better security.

Tip

When building network security groups or firewall rules, a best practice is to limit communications from known sources using only the required ports needed to create the connections.

In addition, when troubleshooting cyberattacks, being able to quickly identify the type of traffic and which ports are being used may speed up your ability to mitigate an attack. The following is a list of some of the more common ports and the protocols/services that use them:

Figure 6.2 – Common ports and services

Tip

The Internet Assigned Numbers Authority (IANA) website provides a list of all registered service names and port numbers: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.

There are many components involved in a network architecture and the topology can be extremely complex. The following technologies are considered more critical for your enterprise deployment as they relate to your network security and should be implemented to protect your Windows environment:

  • Routers and switches using VLANs
  • A next-generation type firewall
  • A Virtual Private Network (VPN) to encrypt connections
  • Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) to proactively detect and prevent threats
  • Wi-Fi with a minimum of WPA2-Enterprise security
  • Network Access Control (NAC) to better manage endpoint access to your network
  • A proxy/web content filter to prevent malicious websites
  • Next-generation antivirus and anti-malware tools for more intelligent protection
  • Data Loss Prevention (DLP) to prevent the loss of sensitive data
  • Email/spam filtering to protect users against spamming, phishing, and so on
  • Security Information and Event Management (SIEM) to help you detect abnormal activity
  • DNSSEC to protect your DNS services
  • Public Key Infrastructure (PKI) to provide digital certificates for encryption

From a network device management perspective, the following are important:

  • Ensure you keep the software of your network devices current
  • Enable auditing on the devices
  • Integrate authentication using LDAP
  • Leverage a PAM solution
  • Disable or prevent local account access and change default usernames/passwords
  • Ensure the management of devices is encrypted (SSH)
  • Isolate the management network
  • Don't allow management from the internet

For a more detailed review on securing network infrastructure devices, the Department of Homeland Security has a Security Tips reference: https://www.us-cert.gov/ncas/tips/ST18-001.

These technologies are very involved and, in most cases, require specialized skillsets to implement and manage them daily. Some of these technologies are both hardware- and software-based. Hardware-based technologies are typically the rack-mounted gear in your main distribution frame (MDF) and primarily protect your facilities and data centers.

Software-based technologies protect the OS, end users, and provide protection for virtual networks. An example would be your computer's firewall. Ensure you deploy the latest next-generation hardware or virtual-based firewalls at your data center locations (including the cloud) and physical offices and enable the software-based firewalls on your Windows OS for additional protection. Software-based technologies are becoming more critical for end user devices due to the shift from centralized offices to a dispersed and remote workforce.

The Microsoft technology stack offers many solutions that can be compared to other networking vendor offerings as an alternative or as a compliment. As a security professional, it is important you are aware of and understand each of the technologies referenced earlier for the best protection within your organization. Throughout the remainder of this chapter, we will review the Microsoft-specific network technologies that provide the best protection for Windows devices.

Understanding Windows Network Security

In this section, we will review the core networking functions of Windows 10 and Windows Server. Having familiarity with these components is a must for any security professional when managing and troubleshooting Windows devices. It's also recommended that you apply the baseline recommendations that can be applied to the network and ensure your system is hardened correctly.

Network baselining

Referencing back to Chapter 2, Building a Baseline, you will want to ensure that your network-specific hardening components have been configured based on the recommendations. There are many network-related settings for Windows and implementing the baseline recommendations is the more practical approach compared to building your own standards from scratch. As an example, referencing back to the Microsoft security baseline and the baseline settings within the MS Security Baseline Windows 10 v1909 and Server v1909.xlsx spreadsheet, simply filtering for the network keyword in the Security Template worksheet provides 40 settings:

Figure 6.3 – Network-specific configurations within the Microsoft security baselines

The preceding settings will need to be enabled via Group Policy or your device management tool in order to ensure enforcement and consistency. Unless you only have a few devices or servers to manage, individually configuring these settings is not realistic.

Tip

As a reminder, be extremely cautious when enabling any new settings and, more specifically, network settings on any devices or servers. They can be very disruptive to production if they're not tested correctly.

Windows 10

Next, we will review the Network & Internet management console within your Windows 10 device. To access the Network & Internet management console, type Network within the search option and click on Network status. You will be presented with the Network & Internet management console, as shown in the following screenshot:

Figure 6.4 – Windows 10 Network & Internet management console

In the Network & Internet management console, you will have access to all the network components on your Windows 10 device. Here, you can view your current network status and additional settings such as Windows Firewall, Network and Sharing Center, adapter-specific settings (Wi-Fi, Cellular, VPN, and Ethernet), Data usage, Proxy settings, Network reset functions, and much more.

In addition to these settings, you can also view your network connections and active adapters on your device by searching for Network once again within the search option and then clicking on View Network Connections. You will be presented with the following screen:

Figure 6.5 – Windows 10 Network Connections

Here, you can view your network settings for any connected adapters by right-clicking one and clicking Status. You will be able to view settings such as IPv4/6 connectivity, Media State, speed, and more specific details such as the IP, MAC, Default Gateway, DHCP, and DNS addresses.

The following technologies are considered more critical for your end user devices and need to be set up correctly to ensure a safer environment for your users.

Wireless Local Area Network (WLAN)/Wi-Fi

WLAN technology is a necessity within the world of technology today. Almost every laptop and mobile device will have some form of Wi-Fi connectivity available for use. As with all technologies, there are threats, and the same applies to Wi-Fi. Unfortunately, Wi-Fi is much more susceptible to vulnerabilities than Local Area Network (LAN) technologies due to the information being transmitted over the air and not through a cable, which is much more difficult to breach. There are many threats when it comes to Wi-Fi, and some of the more known ones include rogue access points or networks, man-in-the-middle attacks, and unauthorized access to insecure WLAN systems.

Securing your corporate Wi-Fi is not a small task and will require very skilled network engineers to architect and implement correctly, especially with enterprise-grade security for the best protection. Here are a few important tips for Wi-Fi security and your Windows 10 devices:

For a more comprehensive list regarding how to secure your enterprise-grade wireless infrastructure, both the Department of Homeland Security and NIST have guides available for reference:

Always be cautious when using open Wi-Fi in public places because of the ongoing threats from attackers. We don't know how well other Wi-Fi networks have been configured, and vulnerabilities may exist within their networks. When travelling, use cellular data to connect to the internet if it's an option or ensure you connect to VPN once you're connected to any public Wi-Fi. Make sure you provide security awareness to your users and advise them about the risks of public Wi-Fi and what they should be doing to protect themselves.

Tip

Your home is just as vulnerable to threats regarding Wi-Fi and even more so as we connect more devices (IoT) within our home to it. Educate your users and provide them with the awareness needed to protect themselves from the ongoing threat landscape. The Department of Homeland Security provides home network security tips here: https://www.us-cert.gov/ncas/tips/ST15-002.

Let's take a look at Bluetooth technology and discuss a few recommendations to ensure secure Bluetooth connections.

Bluetooth

Your Windows 10 device most likely has Bluetooth as a connectivity option since most user devices do today. Although an extremely convenient technology, it also comes with many flaws. There are many Bluetooth threats today that you should be familiar with. Some include Bluejacking, Bluesnarfing, and Bluebugging. The best protection against Bluetooth is to disable it and prevent your users from using it. Unfortunately, this may not be a reality for most, so it is important to understand the technology and the risks associated with it. To help you understand Bluetooth and the risk it entails, NIST has published a Guide to Bluetooth Security, also known as NIST Special Publication 800-121 Revision 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2.pdf.

The Guide to Bluetooth Security is an extremely comprehensive document that provides you with all the knowledge needed to secure your Windows devices using Bluetooth, including a security recommendation checklist. In addition, the following three recommendations are provided in the guide to help you improve your Bluetooth security:

  • Ensure the strongest Bluetooth security mode is enforced for all users where Bluetooth is enabled and allowed to be used. Depending on the version of Bluetooth, there are different modes and security levels within the modes that determine how secure the Bluetooth communication is. For example, for Bluetooth v4.1, Security Mode 4 using Level 4 is recommended. For Bluetooth v2.1 - v4.0, Security Mode 4 using Level 3 is recommended and for anything older than Bluetooth v2.1, Security Mode 3 is recommended. Security Mode 1 is least restrictive and is not recommended.
  • Ensure Bluetooth is listed and referenced in the company security policies and that the device settings have been modified to reflect these policies.
  • Ensure any users enabled to use Bluetooth are fully aware of security issues with Bluetooth and their responsibilities while using it.

Now that we have covered Wi-Fi and Bluetooth connections, let's discuss VPNs and their use in organizations to connect to internal resources.

Virtual Private Networks (VPNs)

The more remote the workforce has become, the more we have relied on VPN connectivity. A VPN is essentially a technology that allows users to connect to their corporate network over an encrypted secure connection on the internet. A VPN allows a user to be anywhere at any time to access corporate data securely. As part of your policies and remote strategy, it is critical that you ensure users are connecting to a VPN when remote. Connecting your work device (or any device) to open Wi-Fi connections in public places creates a significant risk. When connecting to any network outside of your corporate office, a VPN should be connected to ensure a secure working session. VPNs have been around a long time and are a tool you have most likely used at some point during your working career. One primary challenge with a VPN is that it requires user interaction to connect once logged into your device. For the most secure working environment, a VPN should automatically connect once connected to a network on your corporate network. Microsoft has a technology known as Always On VPN. Always On VPN can be configured in Windows 10 as a VPN profile that will automatically connect to your corporate network whenever you are remote. This is a great technology and works very well! In order to use the Always On VPN technology with Windows 10, you need several components for the infrastructure to support it. The following documentation provides more details on the Always On VPN configuration for Windows 10 clients: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config.

Additional "Always On" VPN solutions are also available from Palo Alto Networks through their GlobalProtect client and Cisco's AnyConnect. There is also an option within Windows 10 to leverage the built-in VPN client to connect to other third-party VPN services or providers. Take a look at the following link to learn how to set up a VPN connection from your Windows 10 device: https://support.microsoft.com/en-us/help/20510/windows-10-connect-to-vpn.

Tip

For personal use, you may want to consider a VPN service for your devices when you're away from home and are in cafes or public places. There are many options to choose from and using a VPN service will provide a much secure working environment for your personal services and data.

Next, we'll look at the network security components in Windows Server, as well as the roles and features that can be enabled as components of a network infrastructure.

Windows Server

For Windows Server 2019, the same applies to accessing the Network & Internet settings. When you search for Network, you will be presented with Settings. Click on Settings and then select Network & Internet to access your network-specific settings:

Figure 6.6 – Windows Server 2019 Network & Internet management console

With Windows Server, you will notice that you won't have any of the wireless technologies listed as you should only be using a physical connection for any network connectivity to your Windows servers. Like the Windows 10 settings, the Network & Internet management console for Windows Server will provide access to all the network components on your Windows Server. Without going into detail about each of these items, you can view your current network status and properties, Windows Firewall, Network and Sharing Center, adapter-specific settings (VPN, Ethernet, and so on), Proxy settings, Network reset functions, and much more.

Local Area Network (LAN)/Ethernet

Your server should only be connected using Ethernet for network access and any necessary internet access. Ethernet is much more secure than Wi-Fi and provides greater reliability. In addition to using Ethernet, ensure your servers are on a separate network segment from your user segment. Separation should go as far as segments for highly confidential data, the demilitarized zone (DMZ), and traffic that flows to databases. To accomplish this, you will need to implement VLANs for your LAN and ensure your servers are on a separate and secure VLAN.

Server roles and features

In addition to the base OS for Windows Server, there are server roles and features. There are many available roles and features that will provide separate services for your enterprise. A few of the more common ones include Active Directory (AD) Domain Services, Web Server (IIS), and SMTP Server, to name a few.

To access these roles and features, search for Server Manager within the search option and click on it. Once Server Manager is open, ensure you are within the dashboard and click Add Roles and Features. Here, you can add your desired network-related Server Roles and Features:

Figure 6.7 – Windows Server Roles and Features

There are many roles and features available that support network-specific functions. Some of them include the following:

  • DNS Server
  • DHCP Server
  • Active Directory Certificate Services
  • Network Policy and Access Services
  • Remote Access
  • Network Load Balancing
  • SMTP Server
  • SNMP Service

To implement the Windows 10 Always On VPN, the following needs to be deployed within your server environment:

  • Active Directory Domain Services
  • DNS Server
  • Network Policy and Access Services (NPS-RADIUS)
  • Active Directory Certificate Services (CA)
  • Remote Access (Direct Access and VPN-RAS)

Networking and Hyper-V

As discussed in the previous chapter, virtualization has become prevalent within enterprises but brings a lot of additional risk compared to a traditional physical server deployment model. The same applies to the network layer within the Hyper-V architecture. Ensuring the network is set up correctly and following best practices is a must. The most concerning risk within the network layer is allowing services to use the same network segment or VLAN. Network isolation is critical within the virtualization architecture and must be implemented for the best security.

The following documentation provides an overview of networking within Hyper-V so that you are familiar with the basics as they relate to Hyper-V: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-hyper-v-networking-in-windows-server.

There is also this reference for Hyper-V security for Windows Server, which should be reviewed: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-hyper-v-security-in-windows-server. Within this reference, the network-specific security items include the following:

  • Use a secure network for both host management and VMs.
  • Use separate networks and dedicated physical adapters for the physical hosts.
  • Use a separate secure network to access virtual hard disk files and VM configurations.
  • Use a separate secure network for any VM migrations and ensure encryption is enabled.
  • For VMs, ensure the virtual NICs are connected to the correct virtual switch and are configured with the correct security settings.

Now that we have reviewed the network components of Windows Server and tips for securing Hyper-V, let's take a look at some of the tools that are helpful when troubleshooting network-related issues.

Network troubleshooting

As a security professional, you are going to need to be familiar with troubleshooting and investigative work. Chances are, the network layer will be involved as part of your troubleshooting and investigative work at some point. Microsoft initially had its own tool that was able to capture and analyze network traffic, known as Microsoft Network Monitor 3.4, which was then replaced with Microsoft Message Analyzer (MMA). Unfortunately, MMA has recently been retired. Currently, Microsoft has no plans to replace MMA. Fortunately, there are alternatives and, most likely, the tools referenced here are already being used by your network and security staff today. A couple of widely adopted tools that allow the inspection and analysis of network traffic are as follows:

In this section, we reviewed some of the basic Windows Network Security implementations for Windows 10, Windows Server, and Hyper-V. We also resurfaced the topic of baselining for network-specific hardening within your environment. Next, we will move on and look at advanced network security features within Windows that fall within the Windows Defender technology feature set. Some of the items that will be covered include configuring a firewall rule with Group Policy, Windows Defender Exploit Guard Network Protection, and how to configure Windows Defender Exploit Guard Network Protection using Group Policy.

Windows Defender Firewall and Advanced Security

Windows 10 Firewall is a software-based firewall that's enabled out of the box and used to allow or block connections to your PC. To view the basic firewall settings, including their statuses, open Windows Security from the Settings app and select Firewall & Network Protection. There are local security settings you can change from here, including configurations specific to each network profile, such as blocking incoming connections, allowing an app through the firewall, and restoring the default firewall settings.

The three network profile types in Windows Firewall are domain, private, and guest/public, as follows:

  • Domain Profile settings are defined by the domain profile and are set systemically using Group Policy or from network devices located on the corporate network. Local policy settings are typically overwritten if they're managed systemically.
  • Private Profile is used for home network or small office home networks (SOHOs) where a domain controller may not be present. A private profile can be configured by a local security policy and by default, incoming connections to apps are blocked if they are not on the list of allowed apps.

    Tip

    If an app is blocked, you can view the event log or firewall log for more details. Event ID 5031 in Windows Logs/Security will show you if the firewall blocked an incoming connection from an application.

  • Public Profile is used for guest or public networks. Network discovery is turned off by default in Windows 10 for this profile, which blocks file and print sharing. Incoming connections are set identical to the private profile where apps are blocked that are not on the list of allowed apps.

Clicking on Advanced Settings and elevating user account control with an administrative account will open Windows Defender Firewall with Advanced Security. With Advanced Security, you can control inbound rules, outbound rules, and connection security rules. Here, you have complete control over all packets, both ingress and egress. The inbound/outbound rules can specify specific ports, programs, or use custom settings that may include a combination of ports, programs, and physical network adapters. Windows Defender Firewall already comes configured with a set of predefined rules. These rules cannot be directly modified, but they can be enabled or disabled.

Tip

A green checkbox next to the rule name means that it is enforced. If many modifications are needed in addition to the predefined rules, this is a good use case for you to build them into your hardened image.

A connection security rule is used to define the conditions in which a connection can connect to another system. An example of a connection security rule would be to specify a required method of authentication needed to establish a connection. If the source and destination systems in the scope of the connection security rule do not meet the conditions, then the connection is denied. Connection security rules can be defined to require and/or request authentication, both inbound and outbound, and include settings for common authentication methods such as using certificates or Kerberos and NTLMv2 for computer and user authentication.

Important note

An important difference between firewall rules and connection security rules is that, simply put, firewall rules are used to allow or deny traffic.

Connection security rules are used to secure the communications between the source and destination using IPsec and define the authentication conditions. Typically, advanced connection security rules are managed through third-party devices or software and are managed systemically.

The last part of this Windows Defender Firewall with Advanced Security overview that's worth mentioning is the monitoring section. Within the monitoring pane is a high-level overview of the status of each of the network profiles. It also has helpful links so that you can view active firewall rules, active connection security rules, security associations, and logging settings.

Typically, Windows Defender does a good job of allowing applications through the firewall that are known and trusted. In some scenarios, such as with a home-grown custom line of business app, you may need to push a firewall rule to allow the app. This can be easily accomplished using Group Policy. Let's look at how to use Group Policy to configure a line of business app through Windows Firewall.

Configuring a firewall rule with Group Policy

Let's assume there is a line of business app called BusinessApp.exe that runs under the C:\Program Files (x86)\MyLOBApp path and we need to allow inbound/outbound connections over the domain profile only. This will ensure that connectivity will work only while connected to the corporate network. Follow these steps to allow the app through the firewall with Group Policy:

  1. Open the Group Policy Management snap-in from your management workstation and create a new GPO linked to an OU that contains the computer systems you wish to target.
  2. Give it a friendly name such as Windows Defender Firewall – Connection Rules, right-click it, and choose Edit.
  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security, expand it, and then expand it again.
  4. Right-click Inbound Rules and choose New Rule to open New Inbound Rule Wizard.
  5. Select Program, click Next, and select the radio button next to This program path.
  6. Enter the path of the executable file for the custom LOB app from the install directory; for example, %ProgramFiles% (x86)\MyLOBApp\BusinessApp.exe. Click Next.
  7. Select Allow the connection on Action menu.
  8. Select the domain profile only and click Next.
  9. Give it a friendly name such as Allow BusinessApp and click Finish.
  10. Repeat the same process, but for Outbound Rules.

The following screenshot shows the applications allowed in the Inbound Rules of Windows Defender Firewall after a Group Policy refresh:

Figure 6.8 – Inbound Rules in Windows Defender Firewall with Advanced Security

Tip

Configuring firewall rules through Group Policy does not support environmental variables used to resolve the context of the current user. This can cause some challenges if non-administrative users are being prompted to allow an app through the firewall that is running from the %APPDATA% or %USERPROFILE% locations.

Windows Defender Firewall rules can also be configured using an Intune Device Configuration profile. Choose the Endpoint protection profile type for Windows 10 and later:

Figure 6.9 – Microsoft Defender Firewall device configuration profile in Intune

Next, we'll look at Windows Defender Exploit Guard Network Protection and how to configure it with Group Policy.

Windows Defender Exploit Guard Network Protection

Network Protection is a security feature that can be enabled through the Exploit Guard functionality of Windows Defender. Network Protection helps to reduce attacks such as phishing, social engineering, and malicious browser redirects. Its protection covers all major browsers, including Microsoft Edge, Google Chrome, and Mozilla Firefox. If you're a Microsoft Defender Advanced Threat Protection customer, Network Protection sends telemetry data to the ATP service for advanced investigation. At a high level, the feature works by protecting your PC from known low-reputation IP and URL sources by blocking the outbound connections. When a connection is blocked, a toast notification from the Action Center informs the user of the blocked connection and allows customizable actions such as a phone number for IT support or adding an email button.

The list of IPs and URLs used for revocation are maintained by Microsoft's threat intelligence service. Network Protection is a great feature for small- or medium-sized businesses or those looking to get away from third-party proxy services and the administration required to maintain a network with them.

Tip

If Network Protection is alerting you of false positives, Microsoft recommends opening a support case so that their threat team can investigate.

In the following screenshot, Kusto Query Language (KQL) is being used to query the Windows Defender ATP logs for Exploit Guard Network Protection events:

Figure 6.10 – An advanced hunting Kusto query in the Microsoft Defender ATP portal to show blocked actions for the Network Protection feature

For the user to be alerted about a blocked connection, their notifications must be enabled. In addition to toast notifications, a badge is also visible after the fact in the Action Center. Some of the customizations available include options to set the company's name, contact phone number, website, and skype ID.

When a blocked connection is detected, the action is logged and sent to the Microsoft Defender ATP portal or can be viewed by creating a custom view locally in Event Viewer as seen in the following screenshot:

Figure 6.11 – Windows Defender Exploit Guard Network Protection logs in Event Viewer

For information about how to create a custom view using XML for Network Protection, visit this link:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views.

To enable Network Protection through Group Policy, you will need the Exploit Guard ADMX and ADML files. For information about managing a central store and the latest downloads for administrative templates, visit this link: https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra.

Configuring Windows Defender Exploit Guard Network Protection using Group Policy

In this section, we will configure Network Protection so that we can block connections and customize the toast notifications presented to users when they visit a low-reputation IP or URL. To complete this exercise, the Exploit Guard ADMX and ADML files must be imported into C:\Windows\PolicyDefinitions or to your Group Policy central store. Follow these steps to enable Network Protection using Group Policy:

  1. Open the Group Policy Management snap-in console from a management workstation and create a new GPO linked to an OU that contains the computer systems you wish to target.
  2. Give it a friendly name such as Windows Defender Exploit Guard – Network Protection, right-click it, and choose Edit.
  3. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection.
  4. Open the Prevent users and apps from accessing dangerous websites policy setting and set it to Enabled.
  5. To set the customized toast notifications, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Security > Enterprise Customization.
  6. Choose Configure Customized Notifications and set it to Enabled.
  7. Choose Configure customized contact information and set it to Enabled.
  8. Open Specify contact company name and set it to Enabled and enter a company name.
  9. Choose Specify contact phone number or Skype ID and set it to Enabled. Enter the phone number of your support line.
  10. Choose Specify contact website and set it to Enabled. Enter your IT or support website.

As shown in the following screenshot, the Windows toast notification displays a blocked connection warning with the customized branding, as specified in the GPO:

Figure 6.12 – Windows Security notification for a blocked connection

Tip

If a user suppresses notifications, they will not receive any notice that a connection has been blocked. Network Protection can be deployed in Audit mode if you wish to evaluate this behavior before enabling the feature.

In the previous sections, we covered Windows Defender Firewall with Advanced Security, including how to create custom inbound/outbound rules using Group Policy. We looked at the device configuration profile in Intune, as well setting Defender Firewall for MDM enrolled devices. Next, we enabled a feature of Windows Defender Exploit Guard known as Network Protection, which is used to help protect end users from low-reputation IPs and URLs. In the next few sections, we'll shift focus and discuss Azure cloud solutions that can be used to provide network security to your Windows virtual machine endpoints in Azure.

Introducing Azure network security

When protecting your Windows resources in Azure, there are a few types of cloud offerings that can be used to filter activity and ensure only trusted and legitimate traffic can reach your virtual machines. Foundationally speaking, Azure networking consists of a virtual network containing an address space. Just like traditional networking concepts, the virtual network or "VNET" can then further be divided into segments called subnets, where resources such as Windows virtual machines are assigned to a designated space. Azure resources inside the same VNET are typically allowed to communicate with each other. Resources are also to able communicate with other PaaS services outside of the VNET, such as Azure App Service or Azure Cosmos DB, using service endpoints. With a feature known as VNET peering, other VNETs can be connected and allow cross-VNET communication. Using a combination of user-defined routing (UDR), network security groups (NSG), Azure firewalls, and network virtual appliances (NVA) allows you to ensure that communications are locked down to allow only the necessary traffic to reach resources in your VNET.

Tip

When creating a new VNET, outbound connectivity to the internet is allowed by default.

In this section, we are going to focus on network security access control using a feature known as Network Security Groups (NSGs).

Network Security Groups (NSGs)

An NSG is an Azure resource that acts as a stateful firewall for evaluating inbound and outbound traffic. It is used to allow or deny traffic through a set of weighted security rules that are evaluated based on a priority integer value. A stateful firewall in Azure uses a five-tuple hash value to determine whether the traffic is based on source, destination, IP, ports, or protocols and then evaluates it against the inbound/outbound NSG security rules. NSG resources can be associated with subnets or virtual network interfaces. As a best practice, it is recommended that NSGs are applied at the subnet level over direct assignment to a network interface. This helps minimize the amount of NSGs for simplification purposes. A security rule inside an NSG has the following properties:

  • Name, which is used to identify it; for example, AllowRDP.
  • Priority between 100 and 4,096, which is used as the weight during evaluation.
  • Source or Destination. This can be ANY, an individual IP, a range specified in CIDR notation, or a service tag.
  • Protocol support for TCP, UDP, ICMP, or Any.
  • Direction (inbound or outbound).
  • Port range.
  • Action, such as allow or deny.

    Tip

    When assigning a priority, it is recommended to assign them in intervals of 50 or 100 to ensure there is plenty of space to insert rules in the future.

Service tags

The destination value for a security rule can also be an Azure service tag. Service tags are available to help simplify the creation and maintenance of security rules instead of manually specifying and maintaining IP ranges for common connection points such as the internet. This is helpful when defining rules for connections to the internet or to an Azure service such as an Azure load balancer. Microsoft will maintain the connection information for these services. Examples of service tags in Azure include values such as VirtualNetwork, Storage, SQL, or Internet. The full list of available virtual network service tags can be found at this link:

https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview.

Tip

Security rules can also be augmented security rules that contain a comma-separated list of IP ranges in CIDR notation instead of you having to create separate rules for each IP block.

The following screenshot shows the NSG inbound security rules. You can see the service tags depicted as Internet and VirtualNetwork in the Source and Destination sections:

Figure 6.13 – NSG inbound security rules in Azure

Application Security Groups (ASGs)

ASGs are an additional enhancement for simplifying NSG rules as they allow you to create your own groups or 'service tags' of applications that can be specified inside a security rule, similar to a service tag. For example, let's say you have a few shared backend app servers and DB servers. As the business requirements evolve, there may be a need to leverage these resources to service other business functions that are housed in different subnets. By grouping these resources together and creating an ASG, you can specify the source as this grouping in the NSG rule and you don't have to granularly define each component moving forward.

Creating a network security group in Azure

One common method when deploying new infrastructure to Azure is to leverage a jump box server as a part of the management plane over other resources. Although we strongly recommend against using a jump box for an extended period, we want to demonstrate how to create an NSG rule on the jump box subnet to allow RDP traffic over the internet using a non-common port. Using a non-common port will help deter malicious actors actively looking for connections listening on 3389 (RDP) over the internet.

This demo assumes the following has already been configured:

  • A resource group, Azure VNET, and a subnet
  • A Windows virtual machine with a public IP

We are going to create a new NSG and define two new inbound security rules. One will use 3389 to allow modifications to be made to the VM resources using the default RDP port, while the other will allow port TCP 65001 over the internet to accommodate connections after the port change. We will then create an inbound firewall rule for TCP port 65001 in Defender Firewall on the virtual machine host and change the listening port for RDP through the registry. Let's get started:

  1. Log into the Azure portal at https://portal.azure.com.
  2. Search for Network Security Groups and select it.
  3. Click Add or Create network security group if none have been created.
  4. Choose the subscription and then select the resource group that contains your Windows virtual machine. Give it a friendly name such as NSG-Identity-Prod. In our example, we are creating an NSG for a subnet that contains domain controllers.
  5. Select the region that your subnet resides in and choose Review + Create. Then, select Create after the validation passes. Go to the resource after the deployment completes.

NSGs have predefined security rules out of the box and cannot be deleted. Their priority is specifically set high and they allow plenty of space for custom security rules to be defined with lower integer values. The maximum integer for a custom defined security rule is 4096.

  1. Click on Inbound security rules under Settings.
  2. Click Add to create a new inbound rule with the following settings:

    Source: Service Tag

    Source service tag: Internet

    Source port ranges: *

    Destination: VirtualNetwork

    Destination port ranges: 3389

    Protocol: TCP

    Action: Allow

    Priority: 1001

    Name: IBA_RDP_3389

  3. Click Add to create the rule.
  4. Repeat these steps to create the inbound allow rule for the custom TCP port 65001, but with the following changes:

    Destination port ranges: 65001.

    Priority: 1050.

    Name: IBA_RDP_65001. This is short for inbound allow, remote desktop protocol, and port number 65001.

  5. Click Add to create the second rule.

Notice the warning symbol in the following screenshot next to the inbound allow rule for 3389. Azure does a good job of warning you that a common port is open to the internet:

Figure 6.14 – Inbound security rules inside an NSG in Azure

Now, let's associate the NSG with a subnet:

  1. Click on Subnets in Settings.
  2. Choose Associate, select a Virtual network from the dropdown, and select the subnet that contains your Windows VMs. Click OK.

Now that we have created the NSG rules and associated them with a subnet, we can remote into the Windows VM and modify the settings to change the RDP listening ports to 65001. Follow these steps to do so:

  1. Find the VM by searching for it by name in the Azure portal. On the Overview tab, click Connect to download the RDP file and connect over public IP with the default RDP port of 3389.
  2. Log into the VM using the administrative account you used when creating the virtual machine to load the desktop.
  3. Once at the desktop, search for Windows Defender Firewall with Advanced Security to open the advanced menu. Click on Inbound Rules.
  4. Click New Rule and create a new inbound rule.
  5. Select Port as the rule type to create and click Next. Select TCP and enter 65001 in the box to specify Specific local ports and click Next.
  6. Keep the default of Allow the connection selected and click Next.
  7. Keep all three profiles selected and click Next.
  8. Give the rule a friendly name such as Remote Desktop – IBA 65001 and click Finish.
  9. Open the registry editor (regedit), go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp registry subkey, and look for the DWORD PortNumber.
  10. Open the DWORD PortNumber, choose Decimal, and modify the port number so that it states 65001. Click OK.
  11. Restart the virtual machine.
  12. Validate that the port number change worked by connecting to the VM with RDP by specifying the IP and port; for example, 40.70.223.4:65001.

When clicking Connect from the virtual machine Overview page, be sure to change the port number to 65001 to reference the custom port we configured. The following screenshot shows the Connect to virtual machine menu that appears after clicking Connect:

Figure 6.15 – Connect to virtual machine menu

To recap, we just created a new NSG with two inbound rules to allow TCP ports 3389 and 65001 to accommodate RDP traffic. Then, we modified the default RDP listening port on the virtual machine host to TCP 65001 and created a new inbound allow firewall rule in Windows Defender Firewall to allow TCP 65001.

Summary

In this chapter, we started by looking at network security fundamentals and covered the OSI and TCP/IP models, reviewed common ports and protocols, and looked at the important technologies needed to help with network security. Next, we covered Windows network security, which started with network baselining for your Windows devices. This section then covered the Windows 10 network management pane before moving on to securing WLAN/Wi-Fi, Bluetooth, and VPN, including Microsoft's Always On VPN. The following section covered the Windows Server network management pane, including LAN and Ethernet best practices for your servers, and provided an overview of the server roles and features. The final sections overviewed Hyper-V networking and security before finishing off with network troubleshooting tools.

Following Windows network security, we covered Windows Defender Firewall and Advanced Security, which provided steps you can follow to configure your firewalls with Group Policy; a detailed overview of Windows Defender Exploit Guard Network Protection; and how to configure Windows Defender Exploit Guard Network Protection. The final topic of this chapter was Azure network security solutions for Windows VMs. Here, we covered NSGs, ASGs, and steps on how to create a network security group in Azure.

In the next chapter, we will review identity and access management and its importance in Windows management. We will look at account and access management and review many of the components involved in the life cycle of accounts and the types of access needed. Then, we will review authentication technologies and provide recommendations on how you should be using these authentication protocols in today's world. We will finish with a review of conditional access and identity protection.