Windows Firewall hardening check with the external template files

[ediulia]

User Story

Some customers due to the multiple Vault Firewall rules are managing the Vault firewall rules outside the DBParm.ini
Each editing, adding, or removing new Non-Standard Firewall rule requires Vault restart
Setting the complicated Firewall rules in DBParm.ini can cause the Vault startup failure due to the human syntax errors in the parameter configuration

The solution is to maintain the Vault Windows Firewall externally and to disable Vault warning:
"ITATS319W Firewall contains external rules"

CyberArk Vault Hardening check has to support the scenario, there are no Firewall rules configured in DBParm.ini
And to be able to validate the Vault Windows Firewall configuration with the Firewall template file provided as an input parameter to main.ps1 script

Test Scenarios

IF (-ExternalFWConfigurationTemplatePath )

Get all Windws Firewall rules list
FOREACH (WindowsFWRule in Windows Firewall rules list)

   IF (ExternalFWConfigurationTemplate -notcontains WindowsFWRule )

   ADD warning to the warning list

READ ExternalFWConfigurationTemplate
FOREACH (WindowsFirewallTemlateRule in ExternalFWConfigurationTemplate )

   IF (Windws Firewall rules list -notcontains WindowsFirewallTemlateRule )

   ADD warning to the warning list

ELSE

Compare the Windows Firewall configuration with the DBParm.ini (Existing solution)

Implementation

Notes

Implementation Tasks

The following issues have been created to implement this user story:

[AssafMiron]

Hi @ediulia ,

Just to set the right expectations, this is an external hardening tool and cannot change the Vault behavior
So the warning of "ITATS319W Firewall contains external rules" will still exist
regarding the solution, I was thinking adding a parameter to the Vault hardening XML file that will have the path of the template file and complete it within the same FW function check

would you be able to share a same template?
Is this template something that you are using in order to import these settings to the Windows Firewall?

Thanks,
Assaf

[ediulia]

Hey @AssafMiron.
About the ITATS319W warning. we are aware of the Vault behavior. And this warning can be suppressed by changing the dbparm.ini parameter MonitorFWRulesInterval to -1
Adding the file template parameter to the Vault hardening XML can be great, but will require updating the hardening tool.
Right now we are checking the options which template can be the best for Firewall management. I will keep you posted once we have it
For now. The firewall is hardened by the different script and not CyberArk hardening utility

Thanks
Edi

[AssafMiron]

Thanks @ediulia
Again, just to set expectations, I am talking only on changing this tool (for checking and reporting) and not changing any CyberArk hardening tools.
So I think we can assume that your firewall rules would be applied using an external script and not using any CyberArk hardening tool.
You might want to use New-NetFirewallRule command
https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps

Then the input object might even be a CSV file with the relevant parameters

[ediulia]

@AssafMiron Yes. CSV is the option. We also checking the option working with Firewall-Manager PS module.

Thanks
Edi