Windows 7支持防火墙和BFE [英] Windows 7 adv firewall and BFE

问题描述

我认为我在过去一周内对这个问题的描述搜索了几乎所有的msdn / ms帖子和文档，但是不能拼凑到足以解决它。

<这开始是Win 7 x64专业防火墙的渗透测试。该系统完全零售，只有MS产品，完全更新标准设置。我使用远程
计算机切换到阻止入站和出站以测试渗透。当我发现几个不一致时，我希望你可以帮助我。

通过Windows防火墙的安全性可以通过5种常见的不同机制配置 -

（示例 - 停止）

1. 在控制面板的防火墙CPL中
2. 在高级防火墙MMC
3. 在服务管理器MMC
4. Netsh防火墙设置opmode禁用
5. 网络停止MPSSVC或网络停止共享访问（取决于操作系统）
6. +另一个1 =使用群组编辑（gpedit）MMC 

但我没有阻止它，我正在尝试安全地配置它以便测试它。 Windows过滤平台上的文档使BFE成为这个难题的一个组成部分。特别是"持久性提供者"。通常删除，而不是
添加我的过滤器。

所以这是我的问题。一个特定的持久性BFE提供程序会定期添加和删除可以在安全审核日志中捕获的一大堆过滤器。它实际上会添加和删除日志。

 这篇关于"管理安全性"的MSDN文章re：阻碍/删除...解释了如何对过滤器的强化进行编码，然后解释如何取得所有权并删除它们。 ？！？！？！

Qn： 是否可以编码/输入旨在保护系统的持久性过滤器，而不必担心其他人会删除它们。

Qn：问另一种方法，如果恶意程序了解用户过滤器，是什么阻止它发现和删除使用管理权限设置的用户过滤器？ （正如我在注册的FirewallAPI BFE提供商处观察的那样）

Qn： 在上面查看防火墙配置的6种方法中，没有2种方法同意。查看输入/输出流量的状态，日志设置，活动过滤器是一个令人毛骨悚然的噩梦。

问：我最终倾向于依赖GPedit-> Comp-> Win-> Sec-> Windows防火墙MMC控制台。这个控制台界面的层次结构是否比netsh和wf.msc的其他方法更高级？他们都没有始终如一地显示过滤状态。

问：无论是通过代码还是管理用户界面设置过滤器，都可以通过其他任何注册安装删除它们甚至可能系统更新？ （用户不知道）

我正在尝试开发一组强化过滤器，但我不确定我是否可以相信它们是"持久的"。

希望这是有道理的。

问候，ETC

 

解决方案

（我认为这更像是一个问题查询。）

解决我的两难困境是在通过 -

1创建时跟踪防火墙规则的位置。 gpedit（MMC）用户通过组策略将FW规则置于：

HKCU \Software \ Microsoft \ Windows \ CurrentVersion \Group策略对象\ {} Machine \ SOFTWARE \POLicies\Microsoft \ WindowsFirewall \ FirewallRules \

2。 wf（MMC）用户通过组策略将FW规则置于：

HKLM \ System \ CurrentControlSet \services \SharedAccess\Parameters\ FirewallPolicy \ FirewallRules \

3。 Netsh（cmd）用户（使用管理员）

HKLM \ System \ CurrentControlSet \services \SharedAccess \Parameters \ FirewallPolicy \ FirewallRules \

关于强化和删除过滤器的文章，我还没有编写MSDN测试代码来创建/强化/删除。我确实看到，无论方法如何，相同的过滤器都会被赋予唯一的条目，因此在创建规则之前不会进行任何测试。可能
给定供应商在任何情况下都不会使用他们自己的，谁知道谁拥有什么，如果被覆盖？

（不是我认为这方面的重要性）

因此，在列出/识别系统过滤器时，将需要列举所有规则。

我仍然在寻找更多答案。 / p>

问候。

I think I have scoured pretty much every msdn/ms post and document over the past week on the description of this problem, but can not piece together enough to solve it.

This started out as a penetration test of the Win 7 x64 professional firewall. The system is full retail with just MS products on it, fully updated with standard settings. I switched to blocked inbound AND outbound to test penetration with a remote computer. It is when I discovered several inconsistencies I hope you can help me with.

Security via the windows firewall can be configured by 5 common different mechanisms -

(example - to stop it)

1. In the Firewall CPL in control panel
2. In the Advanced Firewall MMC
3. In the Services Manger MMC
4. Netsh Firewall set opmode disable
5. Net stop MPSSVC or net stop sharedaccesss (Depending on the OS)
6. + another 1 = using the Group Edit (gpedit) MMC 

But I am not stopping it, I am trying to securely configure it so as to test it. The documentation on the Windows Filtering Platform makes the BFE an integral piece of this puzzle. Specifically "persistent providers" that routinely delete and than add my filters.

So this is my problem. One specific persistent BFE provider regularly adds and deletes a whole bunch of filters that can be captured in the security auditing logs. It literally floods the logs with adds and deletes.

 This MSDN article on 'Managing Security" re: hindering/deleting ... explains how to code hardening of the filters, and then explains how to take ownership and delete them. ?!?!?!

Qn: Is it possible to code/enter persistent filters designed to protect a system without fear of others deleting them.

Qn: Asking this another way, if a malicious program learns of a user filter, what prevents it from discovering and deleting user filters set with administration authority? (As I was observing with the registered FirewallAPI BFE provider)

Qn: Of the 6 methods above to view the Firewall configuration, no 2 of them agreed. Viewing the status of in/out traffic, log settings, active filters was a freaking nightmare.

Qn: I tended to rely on the GPedit->Comp->Win->Sec->Windows Firewall MMC console in the end. Is this console interface the more senior in hierarchy than the other methods of netsh and wf.msc? None of them consistently showed the filtering states.

Qn: In any event of filters being set either by code or administration user interface, can they be deleted by either another  registered installation possibly even a system update? (without the user knowing about it)

Am trying to develop a set of hardened filters but am not sure I can trust them to be 'persistent'.

Hope this makes sense.

Regards, ETC

 

解决方案

(I think this was more of a question query.)

Answering part of my dilemma is in tracing the location of the firewall rules when created via -

1. gpedit (MMC) user via group policy places the FW rule in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{}Machine\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules\

2. wf (MMC) user via group policy places the FW rule in:

HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\

3. Netsh (cmd) user (with admin)

HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\

I have yet to code the MSDN tests to create/harden/delete in regards to the article on hardening and deleting filters. I do see that identical filters are given unique entries regardless of method, so no test is done prior to creating the rule. Probably given vendors would wont to use their own in any case, who knows who owned what if overwritten?

(not that I think that aspect is of importance at this point)

Hence enumerating all rules will be required when listing/identifying system filters.

I'm still down the rabbit hole looking for more answers.

Regards.

这篇关于Windows 7支持防火墙和BFE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！