The Windows Firewall, or Windows Defender Firewall, is a firewall that comes with all modern versions of the Windows Operating System and is used to protect the system from unsolicited traffic. You may not be aware of the number of Firewall rules that are enabled by default, why they are there and what the implications might be?
● Do you know what Firewall ports are open by default on a Windows Server System?
● Do you know what services use these rules and why?
● Do you know what services can be disabled and how?
● What is lateral movement and what are the risks?
Default Firewall Groups with inbound rules
The AllJoyn framework is managed by AllSeenAlliance and was designed to prevent IoT security issues and enable interoperability of Internet of Things devices, regardless of operating system, manufacturer or type of device. It is considered the larges open source aimed expressly at IoT,with over 200 manufactures signed up, such as Samsung, Cisco and Panasonic. Microsoft have made it a core component of the Windows operating system.
The AllJoyn Router Service is used to routeAllJoyn messages for AllJoyn clients.
There are case studies and reports that have raised security concerns with the AllJoyn framework regarding system takeovers, complexity and responsibilities, limitations and privacy concerns. Most users and servers do not have a specific need for this service it should be disabledand blocked.
Cast to Device functionality
Cast to Device is a Windows feature that allows streaming of videos, picture and other media from your PC to a TV or other DLNA supported device. It is an improved version of Play to Device from previous Windows versions.
Many Chromecast streaming devices have historically been exposed with security flaws and if not specifically needed it should be disabled and blocked.
Core networking mainly concern protocols to allow for IPv6 functionality. It also has rules for example DHCP, ICMP and IGMP.
Typically speaking these rules should not be disabled. Some of these rules are necessary for your network configuration to work properly. If you disable DHCP, you may not get an IP-address from the DHCP server (based on your configuration). If you disable ICMP the network performance may be degraded etc.
Cortana is a virtual assistant from Microsoft that can be used on for example Windows 10, Invoke smart speaker, Microsoft Band, Surface Headphones, Xbox One, iOS, Android, Windows Mixed Reality, and Amazon Alexa.
Cortana can set reminders, recognize voices without the requirement for keyboard input, and answer questions using information and web results from the Bing search engine.
Vulnerabilities have been detected for Contana and could allow an attacker to break into a Windows computer using Cortana and voice commands, even when it´s locked. The problem is that Cortana is always listening.
Cortana can circumvent the usual safe guards, allowing attackers to execute commands and to for example install malware.
If it´s not specifically needed it should be disabled and blocked.
Delivery Optimization is used to reduce bandwidth by sharing download data between multiple devices on your network for Windows Updates, upgrades and applications.
This feature can use up a significant amount of bandwidth and CPU. With concerns also regarding how cybercriminals traditionally use exploits to distribute malware it may be a good practice to disable and block this feature.
Desktop App Web Viewer
The Desktop App Web Viewer feature is used by the Win32WebViewHost as the web view host for Win32 applications.
DIAL protocol server
Discovery and Launch is a protocol co-developed by Netflix and YouTube with help from Sony and Samsung. It is used to discover and launch applications on a single subnet, typically a home network. It relies on Universal Plug and Play (UPnP), Simple Service Discovery Protocol (SSDP), and HTTP protocols.
This feature can most likely be disabled and blocked in the firewall setting.
Multicast DNS is a way of using DNS programming interfaces, packet formats and operating semantics, typically in a small network where no DNS server has been installed.
If your mDNS service is exposed to an unsecure network, querying the service would allow attackers to collect information about your machine (such as the MAC address information of the device, or services running) that could be used to prepare for example denial-of-service (DDoS) attacks.
mDNS is based on UDP, the mDNS query can be exploited to perform amplification attacks (the attacker can spoof his target IP address to saturate it with mDNS replies from your server).
If you are located on a network with a working DNS infrastructure you should disabled and block the multicast DNS features.
Remote Desktop is used to be able to connect and control a PC from a remote device. It also allows you to be able to share applications, files and network resources from remotely.
Remote Desktop on Windows computers should never be exposed to the internet. The Remote Desktop feature is vulnerable to lateral movement techniques, but also man-in-the-middle as well as encryption attacks.
Windows Remote Management
Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications.
WinRM is a command-line tool that is used forthe following tasks:
● Remotely communicate and interfacewith hosts through readily available channels/ports within your network, including workstations, servers and any operating system that supports it.
● Execute commands remotely on systems that you are not local to you but are network accessible.
● Monitor, manage and configure servers, operating systems and client machines from a remote location.
WinRM is a key attack area for Windows Machines through PowerShell Remoting and lateral movement. Access to this service should be protected to be allowed from very specific IP-addresses only, or through privilege access workstations (PAW) ideally.
Work or school account
A Work or School account is an account created by an organization’s administrator to enable a member of the organization to access Microsoft cloud services such as Microsoft Azure, Windows Intune, and Office 365.
With Microsoft Account on Windows, an attacker could get access to all your apps and services, by knowing your password. If for example you leave your computer logged in and haven’t correctly set-up the imeout settings, someone could use your machine to gain access for all your accounts.
Microsoft has tried to circum navigate this by allowing users to set up a PIN code to logon to computers, rather than having to use their Microsoft-wide password, but there are still inherent dangers tobe aware of when using Microsoft accounts on Windows.
The rule is used for communications with the Microsoft Windows cloud account logon.
Default Firewall Groups with outbound rules only
Captive Portal Flow
A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users.
The Windows Compatibility Telemetry is a service in Windows 10 which contains technical data on how the device and its related software is working. It periodically sends the data to Microsoft for future improvement of the system and to enhance the user experience.
Computer users on various online forums (including Reddit) complain about CompatTelRunner.exe high disk usage Windows 10 and state that Microsoft Compatibility Telemetry Runner causes performance issues, such as slowdowns and program crashes.
Email and accounts
This is the Windows e-mail account login feature.
Narrator lets you use your PC without a display or mouse to complete common tasks if you’re blind or have low vision. It reads and interacts with things on the screen, like text and buttons. Use Narrator to read and write email, browse the Internet, and work with documents.
Shell Input Application
Microsoft Text Input Application is for the software keyboard (aka: touch keyboard).
Windows Default Lock Screen
Windows Spotlight is an option for the lockscreen background that displays different background images and occasionally offers suggestions on the lock screen.
Windows Defender SmartScreen
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Windows Device Management
Microsoft Network Device Enrollment Service provides and manages certificates used to authenticate traffic and implement secure network communication with devices that might not otherwise possess valid domain credentials.
Windows includes Windows Security, which provides the latest antivirus protection. Your device will be actively protected from the moment you start Windows. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.
Windows Shell Experience
Windows Shell Experience Host serves as a kind of visual manager. It provides a windowed interface for universal apps on your computer. It is responsible for such graphical components as your start menu and taskbar transparency, background slideshow, calendar, clock, visuals, and other things.
For security and optimization reasons you should consider disabling services and block Windows firewall rules that is not needed for your organization. We recommend starting with disabling Windows Firewall inbound rules to help you protect your systems from incoming attacks. To be able to disable outbound rules additional reconfiguration of the system may be required for the machine to work properly.
The rules described in this blog applies to Windows 10 clients as well as Windows 2016+ Servers.
Disable and block unnecessary rules and services
You should disable and block services with related firewall rules that is not needed for your organization.
● AllJoyn Router (IoTCommunications)
● Cast to Device functionality(Streaming, Chromecast etc.)
● Cortana (Voice-activated Personal Assistant)
● Delivery Optimization (Peer-to-peer Client Update Service for Windows Updates)
● DIAL protocol server (Launch mediaapps from a device to a remote device)
● mDNS (Multicast DNS)
Restrict access for critical or vulnerable services
You should restrict access to critical services with related firewall rules to allow only Privileged Access Workstations or similar.
● Remote Desktop
● Windows Remote Management (WinRM)
Optimize and control your machines
You may also consider disabling unnecessary outbound traffic that can consume computer resources and potentially share sensitive data outside your organization.
● DiagTrack (User Experiences and Telemetry)
It is worth mentioning that concerns described in this blog do not cover all security considerations for a Windows system regarding vulnerabilities and exploits. The intention of this blog is to provide an overview of the default listening ports on a Windows platform to help you identify needs and minimize exposure.
For further, more in-depth, information regarding lateral movements I strongly suggest that you read the following article from Jonas Lagerström: