When an attacker compromises a server, one of the first things they may go after is the host based firewall. Modifying the firewall can permit them to transfer a rootkit onto the local system, or open a backdoor through which they can maintain long term access. Both the Linux and the Windows version of Halo have the ability to detect and alert on firewall changes. Detected changes can then be reviewed via the Halo interface. While Linux changes are relatively straightforward to read, as they are formatted one change per line, the Windows output can be a bit more difficult to follow as it is quite verbose. In this post I’ll cover how to make sense of the output when a change is detected on a Windows system’s firewall.
Quick Review – Detecting Firewall Changes
As the gatekeeper to system access, firewall integrity is a major concern. Far too often we have a “set it and forget it” attitude when it comes to the firewall configuration. If an attacker wishes to further expose a compromised system, the first step is going to be modifying the local firewall rules.
While Halo could simply reapply the firewall rules at regular intervals in a vain attempt to thwart the activity, this would alert the attacker you have implemented additional security measures and still fail to inform you that your system has been compromised. Further, it would make administration more difficult if for some reason you need to make a temporary firewall change outside of the Halo interface.
Windows Firewall Output
Windows has the ability to output the firewall rules in two different formats. The first is a binary format which is not human readable, but is useful if you ever need to backup your firewall rules. The second format is readable text similar to the following:
Rule Name: Netlogon Service (NP-In) ---------------------------------------------------------------------- Enabled: No Direction: In Profiles: Domain,Private,Public Grouping: Netlogon Service LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 445 RemotePort: Any Edge traversal: No Action: Allow
Note that the above output conveys a lot of useful information, it is just spread out over multiple lines. Here’s what each of the field mean:
- Rule Name = Description of the rule.
- Enabled = Is the rule currently turned on or off?
- Direction = Does the rule control traffic going into the system, or leaving it.
- Profiles = Under which deployment profiles should this rule be applied.
- Grouping = Group identification based on rule function.
- LocalIP = Local IP address(es) impacted by this rule. Useful when there are multiple interfaces.
- RemoteIP = Remote IP address(es) impacted by this rule.
- Protocol = TCP, UDP, ICMP, etc.
- LocalPort = The local port(s) impacted by this rule (if applicable).
- RemotePort = The remote port(s) located on the defined remote IP address(es) that are impacted by this rule.
- Edge traversal = Apply the rule to tunneled traffic
- Action = What should be done when this traffic is detected (allow or block)
This verbose output can be problematic when firewall rule changes are detected. Consider the output in Figure 1 which is Halo reporting a firewall change on a Windows system. Remember that new rules are displayed in green while missing rules are presented in red.
Note that it appears two changes have taken place:
- The outbound TCP/443 rule was changed to be outbound TCP/1234
- The outbound TCP/80 rule was changed to be outbound TCP/443
While this is technically correct, it would be clearer to identify the changes as:
- Outbound TCP/80 rule was deleted
- Outbound TCP/1234 rule was added
Because of the way rules are formatted, the add/delete ends up looking like multiple changes. This means that you need to pay very close attention to the order of changes being presented in the output.
Beyond that, the Halo implementation of detecting Windows firewall rule changes is identical to its Linux counterpart. You can define Special Events Policies that detect firewall changes, apply them to your groups of Windows servers and even receive real time alerts via email.