πΌ Management Samenvatting
Configure Public firewall log path - standard: %SystemRoot%\System32\LogFiles\Firewall\publicfw.log (separate from Domain log).
Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
2/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
Separate log files per profile: Domain profile: pfirewall.log (corporate network traffic), Public profile: publicfw.log (public WiFi traffic - SEPARATE), Private profile: privatefw.log. Benefits: Separate analysis (public WiFi attacks vs corporate network), SIEM: Different retention/alerting per profile (public = higher priority alerts), Forensics: 'Show me public WiFi attacks' β publicfw.log.
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Public log path: Policy: Log file path: %SystemRoot%\System32\LogFiles\Firewall\publicfw.log, Effect: Public profile traffic logged separately, SIEM: Forward publicfw.log β priority alerts (public WiFi = hostile environment).
Vereisten
- Intune subscription
- Windows 10/11
- Public firewall logging enabled
Implementatie
Intune Settings Catalog: Windows Firewall β Public Profile β Log file path: %SystemRoot%\System32\LogFiles\Firewall\publicfw.log (standard).
Compliance
CIS Windows Benchmark L1, BIO 12.04.
Monitoring
Gebruik PowerShell-script enable-public-network-firewall-log-file-path-is-set-to-systemroot-system32-logfiles-firewall-publicfw-log.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script enable-public-network-firewall-log-file-path-is-set-to-systemroot-system32-logfiles-firewall-publicfw-log.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Firewall log path (L1) -
- BIO: 12.04.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Windows Firewall: Public Log Path
.DESCRIPTION
CIS - Public log path publicfw.log.
.NOTES
Filename: firewall-public-log-path.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Public LogFileName|Expected: publicfw.log
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $Profile = "Public"
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "firewall-public-log-path.ps1"; PolicyName = "Firewall Public Log Path"; IsCompliant = $false; CurrentValue = $null; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" }
try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.LogFileName; if ($fw.LogFileName -match 'publicfw\.log') { $r.IsCompliant = $true; $r.Details += "Log path OK" }else { $r.Details += "Log path: $($fw.LogFileName)" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { $path = "$env:SystemRoot\System32\LogFiles\Firewall\publicfw.log"; if (-not(Test-Path (Split-Path $path))) { New-Item -Path (Split-Path $path) -ItemType Directory -Force | Out-Null }; Set-NetFirewallProfile -Name $Profile -LogFileName $path; Write-Host "Public log path configured" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Low: Low: Non-standard path = log collection issues.
Management Samenvatting
Public firewall log: publicfw.log (standard path). Separate from Domain log. SIEM priority alerts. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE