L1 BIO 13.01.01 ISO A.13.1.1 CIS Windows - Firewall Domain

Intune: Windows Firewall Domain Profile Enabled

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Enable Windows Firewall Domain Profile - CRITICAL lateral movement defense (Zero Trust: don't trust corporate network).

Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
4u (tech: 2u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Domain profile firewall = corporate network protection: Myth: 'Corporate network is trusted' β†’ NO firewall needed, Reality: Compromised workstation ON corporate network β†’ lateral movement (scan 445/SMB, 3389/RDP) β†’ compromise more systems. Zero Trust: Trust NOTHING (not even corporate network), Firewall blocks: Unsolicited inbound connections (port scans, exploit attempts), Lateral movement (attacker cannot reach other workstations). Attack: Workstation A compromised β†’ scan internal network β†’ firewall blocks scans β†’ lateral movement fails.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Domain profile: Triggered when: Domain controller detected (corporate LAN, VPN), Settings: Firewall state: ON (enabled), Default inbound: Block (explicit allow rules only), Default outbound: Allow (restrict if high-security), Exceptions: Via firewall rules (controlled - RDP from jump server, SMB from file server).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Domain-joined devices
  4. Firewall rules configured (allow legitimate traffic)

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Domain Profile β†’ Enable Firewall: ON (True). Default inbound: Block. Configure allow rules: RDP from PAW/jump servers, SMB from file servers, etc.

Compliance

CIS Windows Benchmark L1, Microsoft Security Baseline, BIO 13.01, ISO 27001 A.13.1.1, Zero Trust.

Monitoring

Gebruik PowerShell-script enable-domain-network-firewall-is-set-to-true.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-domain-network-firewall-is-set-to-true.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Domain Profile Enabled .DESCRIPTION CIS - Windows Firewall Domain profile moet enabled zijn. .NOTES Filename: firewall-domain-enabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Domain Profile Enabled|Expected: True #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Domain"; $ExpectedValue = $true function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-domain-enabled.ps1"; PolicyName = "Firewall Domain Enabled"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Write-Host "WARNING: Not disabling firewall (security risk)" } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.Enabled; if ($fw.Enabled -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Domain firewall enabled" }else { $r.Details += "Domain firewall disabled - CRITICAL RISK" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -Enabled True; Write-Host "Domain firewall enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Write-Host "WARNING: Not disabling firewall (security risk)" } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK: No firewall on corporate network = lateral movement (compromise 1 β†’ compromise ALL).

Management Samenvatting

Enable Windows Firewall Domain Profile. Lateral movement defense. Zero Trust (don't trust internal network). Implementatie: 2-4 uur.