none
Windows Defender Firewall w/ Advanced Security - Security Connection Rules RRS feed

  • Question

  • I have a scenario that is really confusing me. I recently switched from a 3rd party personal firewall provider to using Windows Defender Firewall with Advanced Security. I'm not very familiar with it so I decided to do some experimenting. I wanted to play with Connection Security Rules and see how any of the settings might affect network traffic. Well, I added a rule requiring Kerberos v5 authentication for all incoming connections and requesting it on all outgoing connections. This applies to any two endpoints, any port, any protocol. Since my understanding is that Kerberos authentication only applies to Active Directory Domain Networks, I expected it would either disrupt my network connection, or have no affect at all.

    To my surprise, it appears to have had a beneficial effect. Simply enabling the rule disables other devices in my local network from being able to port scan my pc, or capture unencrypted web traffic with tools such as ettercap, aircrack-ng, etc. As soon as I disable the rule, I'm able capture traffic from another device and scan for open ports on the pc again. I've had the rule on for a couple weeks now, and it doesn't seem to negatively affect my connectivity in any way. When running Wireshark along side it, I don't see any unencrypted traffic, with the only noteworthy thing to mention being a whole lot of ISAKMP connections. I can't figure out what accounts for this behavior. At no time is my pc or any other device connecting to it, (trying to anyway), presented with login credential requests. If you have any idea why this is occuring, I would much appreciate the enlightenment. Specific info on my pc below:

    Windows 10 Pro x64 ver 1803 - Firewall settings are configured through mmc and group policy.

    Desktop PC, however I connect wirelessly. Only one network interface is enabled at a time. IPv6 is turned off for the interface in question.

    Local residential network. ISP is Comcast. Three Desktops (two windows, one linux), two laptops (one Windows, one Mac), two gaming systems, a tablet, and 8 phones (mix of iphones and androids), all connect wirelessly. No workgroup or filesharing established.

    If you need additional info let me know. Thanks!

    Wednesday, November 7, 2018 7:09 PM

Answers

  • The Kerberos developers assumed that anyone could eavesdrop on network traffic, could claim to be any user, and could set up rogue servers capable of posing as any legitimate service, including the Kerberos services themselves. Encryption was used to prevent eavesdropping attacks, and session keys were introduced along with timestamps to prevent replay attacks. When users (or hosts/services) authenticate to the Kerberos authentication service, the authentication service in turn authenticates itself to the user (or host/service) by proving it knows the previously established shared secret. A by-product of these counter-measures is that Kerberos provides protection against man-in-the-middle attacks, which were generally regarded as infeasible at the time, and for more than a decade after Kerberos was initially deployed. Sadly, man-in-the-middle attacks are no longer mere conjecture, and are all too common in today’s Internet web, which was not designed with a hostile environment in mind.

    If you can reasonably join all of the systems to the Kerberos realm, for instance they're all sites within your environment, then it should be fine to use. However, it doesn't necessarily encrypt everything; for instance, HTTP would still be unencrypted. Some services such as NFS, though, can encrypt their data flows using Kerberos. Depending on your applications and the data you'll be transmitting, you may still want to use a VPN between sites.

    Also refer to this Microsoft article.

    Security rules for Windows Firewall and for IPsec-based connections in Windows

    https://support.microsoft.com/tr-tr/help/942957/security-rules-for-windows-firewall-and-for-ipsec-based-connections-in

    Other reference material.

    https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Configuring-Your-Firewall-to-Work-With-Kerberos-V5.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Maja Wa Sunday, November 11, 2018 12:27 AM
    Thursday, November 8, 2018 2:41 AM
    Moderator

All replies

  • The Kerberos developers assumed that anyone could eavesdrop on network traffic, could claim to be any user, and could set up rogue servers capable of posing as any legitimate service, including the Kerberos services themselves. Encryption was used to prevent eavesdropping attacks, and session keys were introduced along with timestamps to prevent replay attacks. When users (or hosts/services) authenticate to the Kerberos authentication service, the authentication service in turn authenticates itself to the user (or host/service) by proving it knows the previously established shared secret. A by-product of these counter-measures is that Kerberos provides protection against man-in-the-middle attacks, which were generally regarded as infeasible at the time, and for more than a decade after Kerberos was initially deployed. Sadly, man-in-the-middle attacks are no longer mere conjecture, and are all too common in today’s Internet web, which was not designed with a hostile environment in mind.

    If you can reasonably join all of the systems to the Kerberos realm, for instance they're all sites within your environment, then it should be fine to use. However, it doesn't necessarily encrypt everything; for instance, HTTP would still be unencrypted. Some services such as NFS, though, can encrypt their data flows using Kerberos. Depending on your applications and the data you'll be transmitting, you may still want to use a VPN between sites.

    Also refer to this Microsoft article.

    Security rules for Windows Firewall and for IPsec-based connections in Windows

    https://support.microsoft.com/tr-tr/help/942957/security-rules-for-windows-firewall-and-for-ipsec-based-connections-in

    Other reference material.

    https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Configuring-Your-Firewall-to-Work-With-Kerberos-V5.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Maja Wa Sunday, November 11, 2018 12:27 AM
    Thursday, November 8, 2018 2:41 AM
    Moderator
  • Very interesting and informative. Thanks
    Sunday, November 11, 2018 12:28 AM