Creating a rule to block outbound traffic

By default, the Windows Firewall allows pretty much everything to travel outbound. Usually when discussing firewall rules, you are crafting inbound rules so that you can continue restricting what is able to reach in and touch your machine, but there are certainly times when limiting access on the outbound could be helpful.

Let's pretend that I have a special subnet on my network that I do not want any of my Graphic Design colleagues poking around inside. We are going to use a WFAS Outbound Rule inside of a GPO to ensure they can't. The process here will be very similar to that of creating an inbound rule, except that we are going to scope this rule to a specific remote location, and will be using this rule to block traffic rather than allow it. Create the new GPO, edit it, and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Outbound Rules.

Right-click to create a New Rule... and we are once again going to choose Custom for our Rule Type. On the Protocol and Ports screen, leave the default setting for Any defined in the Protocol type drop-down list. We are choosing Any here because we are going to block all traffic that is destined to this special subnet.

Next up is the Scope tab, and this is where we are going to divert from how we created the inbound rule earlier. We do not want to block access to everything in the network, only traffic destined for our special subnet. That subnet is 172.16.100.0/24. On the Scope tab, manipulate the Which remote IP addresses does this rule apply to? section of the screen so that our subnet is defined inside that field. You do this by using the Add... button and typing in the subnet address:

On the Action screen, make sure to select Block the connection. Walk through the remaining steps for configuring the rest of the firewall rule however you see fit. Once this WFAS rule is in place and applied to the machines via Group Policy, those computers will no longer be able to contact any of the IP addresses within that subnet.

As I mentioned, you could certainly block this access at a different level as well. Perhaps on the servers that live within the 172.16.100.0/24 subnet, create inbound rules that block people from coming in. Or perhaps you even have a physical firewall that sits in between the clients and this special subnet, and you could limit access that way. The purpose of this exercise was to get you thinking about utilizing outbound block rules in ways that you may not have in the past.

As a real-world example, over the last few months I have had three separate occasions where I was working on a server with multiple NICs, and I needed to block just one of those NICs from from being able to contact the domain. The primary "internal" NIC of that server needed access to everything inside the LAN, but the second NIC needed to be secluded away from the domain. To do this, I had to block access from that NIC to all of the Domain Controller servers in the environment. We ended up using an outbound deny rule inside WFAS on the server, modifying the Scope tab so that the local address the rule applied to was only the IP address listed on that special NIC, and the remote IP addresses listed for the rule was a listing of all Domain Controllers in the environment. By using WFAS in a perhaps unorthodox way, we were able to accomplish our goals without having to involve the network team or make any router/physical networking equipment changes.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.98.240