Xem thêm

Enhancing Network Security on Windows Server 2008 R2

Introduction In today's digital landscape, network security is of utmost importance. This article discusses an effective method to enhance network security on Windows Server 2008 R2. By enabling the firewall audit option called "Filtering Platform...

Introduction

In today's digital landscape, network security is of utmost importance. This article discusses an effective method to enhance network security on Windows Server 2008 R2. By enabling the firewall audit option called "Filtering Platform Packet Drop," you can receive EventLog entries for every dropped incoming packet, ensuring better monitoring and control over your network connections.

Attach a event triggered task Attach a event triggered task

How to Enable Firewall Audit

To enable the firewall audit option, follow these simple steps:

  1. Open the Group Policy Object Editor and navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  2. Enable the following policies:

    • Audit: Force audit policy subcategory settings: enable
    • Advanced Audit Policy Configuration > System Audit Policies > Object Access:
      • Filtering Platform Packet Drop: Failure

Ensure these policies are active by running the following commands in the Command Prompt:

reg query HKLMSystemCurrentControlSetControlLsa /v SCENoApplyLegacyAuditPolicy
auditpol /get /SubCategory:{0CCE9225-69AE-11D9-BED3-505054503030}

Define a task name Define a task name

Verifying Packet Logging

To verify if packets are being logged, you can perform a port scan using a second system running a live Linux distribution (e.g., Knoppix or Kali Linux) against your Windows system. Use the nmap command to perform the port scan. If a port is "filtered," it means the packet was dropped and logged.

Example command:

nmap -sT -p 9100-9110 192.168.1.1

EventLog Entries and Triggered Schedule Task

When packets are dropped, you will see entries with EventID 5152 and Source "Microsoft Windows security auditing." These entries are logged in the Security EventLog. To take immediate action upon logging such events, you can create a triggered Schedule Task.

Start a program as action Start a program as action

Creating a Triggered Schedule Task

Follow these steps to create a triggered Schedule Task:

  1. Right-click on the Eventlog entry and select "Attach a Task to this event."

    Define Action script Define Action script

  2. Define a name for the task.

  3. Choose a program to start when the event is triggered. You can use a PowerShell script to perform further actions based on your requirements.

  4. Export the task by running the following command:

schtasks /query /TN "Event Viewer TasksEventLog-Action-Drop-Packets-5152" /XML > C:tempExport-EventLog-Action-Drop-Packets-5152.xml

Creating a triggered Schedule Task Creating a triggered Schedule Task

Advanced Customization of the Task

To customize the parameters passed to the PowerShell script, open the exported XML file and add a node under the node. Each parameter is defined with a node, where the name attribute represents the variable name used in the action node later.

Append these variables as parameters to the task action arguments in the XML file. Here's an example of the modified task definition:

-Command D:Event5152.ps1 '$(SourceAddress)' '$(SourcePort)' '$(DestAddress)' '$(DestPort)' '$(DestPort)' '$(TimeCreated)'

Cleaning Up and Executing the Task

Once the task is created, delete the old task using the following command:

schtasks /Delete /TN "Event Viewer TasksEventLog-Action-Drop-Packets-5152"

Import the new, altered task definition and create the action script specified in the task. In this example, the PowerShell script (D:Event5152.ps1) simply writes all parameters to a file.

[string]$sOutput=""
[string]$sOutputFile="d:tempEvent5151.txt"
$sOutput=(get-date).ToShortDateString()+" "+(get-date).ToLongTimeString()
if($args.Length -ge 1){
   for($iLoop=0;$iLoop -lt $args.Length;$iLoop++){
       $sOutput+=";"+$iLoop.ToString()+":"+$args[$iLoop]
   }
}
Add-Content -path $sOutputFile -value $sOutput

Conclusion

By following these steps, you can ensure enhanced network security on your Windows Server 2008 R2 system. Enabling the firewall audit option and creating a triggered Schedule Task will provide you with better control over dropped packets and allow you to take immediate action based on the logged events. Stay vigilant and keep your network secure!

Original article by Michls Tech Blog

1