πΌ Management Samenvatting
Configure Windows Firewall Domain log file path - default: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log (CIS standard location).
Aanbeveling
IMPLEMENT (standard path)
Risico zonder
Low
Risk Score
2/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
Log file path = standard location: Default path: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log, Benefits: Standard location (consistent across devices), Protected folder (requires admin to modify - tampering prevention), Log rotation: Automatic (when max size reached). Custom path: Sometimes used (dedicated log partition, centralized logging), maar default = sufficient for most organizations. SIEM: Path irrelevant (logs forwarded to Log Analytics via agent - reads from default path).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Configure log path: Policy: Log file path: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log (default), Effect: Firewall logs written to standard location, Access: Admin rights required (read firewall logs), SIEM: Log Analytics agent monitors path β forwards to cloud.
Vereisten
- Intune subscription
- Windows 10/11
- Firewall logging enabled
Implementatie
Intune Settings Catalog: Windows Firewall β Domain Profile β Log file path: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log (default - CIS standard).
Compliance
CIS Windows Benchmark L1 (standard path), BIO 12.04.
Monitoring
Gebruik PowerShell-script enable-domain-network-firewall-log-file-path-is-set-to-systemroot-system32-logfiles-firewall-domainfw-log.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script enable-domain-network-firewall-log-file-path-is-set-to-systemroot-system32-logfiles-firewall-domainfw-log.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Firewall log path (L1) -
- BIO: 12.04.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Windows Firewall: Domain Log File Path
.DESCRIPTION
CIS - Firewall log file path moet correct geconfigureerd zijn.
.NOTES
Filename: firewall-domain-log-path.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Domain Profile LogFile|Expected: %SystemRoot%\System32\LogFiles\Firewall\domainfw.log
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $Profile = "Domain"; $ExpectedPath = "%SystemRoot%\System32\LogFiles\Firewall\domainfw.log"
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "firewall-domain-log-path.ps1"; PolicyName = "Firewall Domain Log Path"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = $ExpectedPath; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" }
try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.LogFileName; if ($fw.LogFileName -match 'domainfw\.log') { $r.IsCompliant = $true; $r.Details += "Log path configured" }else { $r.Details += "Log path: $($fw.LogFileName)" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { $path = "$env:SystemRoot\System32\LogFiles\Firewall\domainfw.log"; if (-not(Test-Path (Split-Path $path))) { New-Item -Path (Split-Path $path) -ItemType Directory -Force | Out-Null }; Set-NetFirewallProfile -Name $Profile -LogFileName $path; Write-Host "Domain log path configured" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Low: Low: Non-standard path = log collection issues.
Management Samenvatting
Firewall log path: Default (%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log). CIS standard. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE