we are planning to start deploye HIPS firewall for servers with adaptive mode option, now
1- which policy rules to use? Typical Corporate Environment or my default
2-what is the difference between them? which one is conveiant for servers.
3- I tried Typical Corporate Environment for one of our domain controlers and i got too much blocked traffic (Block Untrusted NetBIOS) especialy the udp ones on the firewall activity log.
4- ports loc-srv (135), netbios-ns (137) - netbios-ssn (139) are by default blocked for the domain controler if i use Typical Corporate Environment policy, should i continue block them? i am afraid blocking these ports will affect some functions of the DC!
I appreciate your help
Start with the (a duplicate copy of) Typical Corporate Environment policy, but you will need to modify the firewall rules to fit your environment.
For me personally, I found the most effective method for configuring firewall policies is to query the operating system for listening ports (assuming you have access to the server).
1) netstat - Open up a command prompt and run netstat to list active ports. To identify listening TCP ports, use:
C:\> netstat -an | find "LISTEN"
You can also use it to list UDP ports, but there is no such thing as "LISTENING" state for UDP.
2) Activity Log - Run C:\Program Files\McAfee\Host Intrusion Prevention\McAfeeFire.exe and click on the Activity Log tab to see list of traffic being blocked.
3) If the system is running Windows 7 or Windows Server 2008 (or later), you can view all kinds of network activity statistics (including open ports) using Resource Monitor (resmon.exe) which can be launched from the run prompt or by opening up Windows Task Manager and clicking on the Resource Monitor button on the Performance tab.
Adaptive mode works pretty good, but for some reason it didn't pick up all the ports I needed.