Ever thought about what type of outbound firewall rules that is required for you clients to run as expected? Maybe you want to minimize the outbound rules on your public or private Windows firewall profile.

You probably already know that when Windows NLA service is discovering what type of network you’re on it will try to connect gateway, do a LDAP query, recognize your DNS suffix among other things. More about that here: Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles

The problem is maybe not to limit the outgoing traffic in these profiles, but to get back to the domain profile from public or private profile.

Here is very good guide to get this going: http://technet.microsoft.com/en-us/library/ee215186(v=ws.10).aspx
Make sure that this will not enable traffic like webbrowsing, FTP etc. just what really necessary like DNS, DHCP, authentication etc.

Where is how you do: Start with enable the predefined rule: Core Networking
clip_image001

clip_image002

Don’t forget to change this to Allow
clip_image003

Do the same with the predefined rule: File and Printer Sharing
clip_image004

Don’t forget to Allow the rule!

Now to two more trickier rules: First allow outgoing authentication from lsass.exe
clip_image005

clip_image006

clip_image007

clip_image008

clip_image009

Second custom rule is to allow WMI queries, if you have them in your Group policies
clip_image010

clip_image011

clip_image012

clip_image013

clip_image014

clip_image008[1]

clip_image015

When done it should look something like this
clip_image016

 

Remember that this list most probably need to be extended or edited to fit your environment.

2014-05-13 Update. Be aware that one more outbound rule needs to be added to make NLA and Firewall profile switching working correctly:

  1. Right-click Outbound Rules, and then click New Rule.
  2. On the Rule Type page, click Custom, and then click Next.
  3. On the Program page, select This program path, and then type %windir%\System32\svchost.exe. Also Click Customize, Select Apply to service with this service short name, and then type NlaSvc to add the Network Location Awareness service, click OK, and then click Next.
  4. Read and accept the changes by pressing Yes.
  5. On the Protocol and Ports page, change Protocol type to TCP, change Remote port to Specific Ports, type 389, and then click Next.
  6. On the Scope page, click Next.
  7. On the Action page, select Allow the connection, and then click Next.
  8. On the Profile page, click Next.
  9. On the Name page, type Allow outbound NlaSvc Service port 389, and then click Finish.
Advertisements