1 Reply Latest reply on Oct 1, 2010 12:27 PM by Kary Tankink

    Firewall Rules what is the best practice

      Firstly is there a Best Practice Firewall Guide

       

      What is the best way to write rule for as an example NTOKRNL.exe  where the Local Service  is 1024-65535 and the remote service has multiple instances of ranges of port number. I suppose it should just be setup as Local Service 1024-65535 and Remote Service 1024-65535

      which make sense, or can the remote service be narrowed down.

       

      Many thanks 

        • 1. Re: Firewall Rules what is the best practice
          Kary Tankink

          Hello, firewall rules should be created per your security policy.  Cut/pasting this from another thread, that I just posted to, as it's relevant to your question as well.

           

          As with any application and firewall rule, you'll need to decide how strict your create your rules.  Find all necessary ports required by the application (in this example, do port checks on local systems; search Microsoft's articles; find what ports it's supposed to use and what it is using).  Decide how strict you want to make the rule and create the rule based off your decisions.

           

          • Do you want to MD5 hash the executable?  You may need multiple rules for all the svchost.exe builds you have in your environment.
          • Do you just want to use the executable name, or do you want specific file paths?  (malware may use the same filename, but from a different directory).
          • What all ports are required for this application to function properly?  You may need multiple rules to cover all the inbound/outbound ports.
          • etc.
          1 of 1 people found this helpful