Category Windows Firewall clarification

[FLeven]

Why are the settings in the registry path:
HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

also checked ? For a compliance check SOFTWARE\Policies\Microsoft\WindowsFirewall should be enough?

[0x6d69636b]

I noticed during testing that the values are sometimes different, so I am doing a double check. This may happen if the settings were changed via GUI before group policies were applied. Depending on whether local settings are taken over/merged, this could have an influence. I have not yet tested how it is under Windows 11. Better safe than sorry ;-)

[FLeven]

ok, but we are not able to see if we are 100% compliant anymore, which is not a good thing. Maybe create a test list for yourself, the lists should never include anything else then the original baselines we are testing against.

[0x6d69636b]

Okay, I hear you. But that would not only affect the Windows Firewall config but also ASR (Registry and MPPreference Check) and Services (for CIS benchmarks), is this an issue as well?

I have added the checks to detect a potential discrepancy which in my eyes offers added value to a " simple" compliance check.

For which use cases exactly do you use HardeningKitty and how did you come across the issue?

[FLeven]

HardeningKitty is my replacement for the .... ms policy analyzer, I deploy all the important Microsoft product baselines to my domains and check with HardeningKitty if they stay in there original state.

Then, I decide if I will implement more strict policys, like BSI, CIS, dod etc.

Extra checks are a good idea, but I would prefer them to be separated, from the official ones. As this tools is for compliance/security checks, the confusion of what is in each of the lists/checks should be kept to a minimum. If the description reads "ms win11 22h1 machine", it should contain onlz the corresponding policy settings version 22h1 from the ms download.
I also believe there are more people that need a replacement for the policy analyzer, because it might be deprecated already and has problems on non US lang OS. I also mentioned HardeningKitty on the policy analyzer forum,.

Next would be to do some lists for any custom policys that have to be implemented and maybe add Citrix:
https://www.citrix.com/about/legal/security-compliance/common-criteria.html

[FLeven]

All other settings are fine, besides the one I reported in other issues. Firewall has 12 items notset/conflicting.

[0x6d69636b]

Don't worry, I haven't forgotten about the issue. I have a lot to do at the moment and would like to test the firewall history properly (do local settings have an effect or does the GPO always take effect). I will be back

[FLeven]

No hurry, I disable local FW rules entirely, then you can only set FW rules by GPs. This way, I am 100% sure my settings always win and not even local admins can add rules or overwrite anything.

[0x6d69636b]

I removed the local Windows Firewall settings in the Microsoft Security Baseline lists in the development repo and it will be updated here in the next update.