This work will involve inventorying all servers and what ports need to be open on them, including between servers, such as a group of application servers that need to access a group of SQL servers. This process should continue, across each server/group of servers, until all have been converted to only having firewall rules applied via policy.
Once this policy has applied, and confirmed functional, go back and disable local rules from applying, and again confirm that everything still works as expected. Pro-tip: you can even copy/paste these across an RDP session! I’ve done this in the above GPO for the “ConfigMgr PXE Responder Service” rules. If any installed applications created their own local firewall rules, these can easily by copy/pasted from the local firewall management console (wf.msc) to a GPO. It contains rules to allow access to the various ConfigMgr services from anywhere, a scoped rule for SMB access from my local subnet, and specific rules for RPC, WMI, and SQL, for local management access. The above policy is an example of a server-specific firewall policy, in this case, for a ConfigMgr server. In a new GPO, linked to the the server-specific OU, add builtin and custom rules as necessary. Next, create a new policy for for a specific server. A custom rule was created for this, as the builtin rule may be used in later policies, and when policies merge together during application, all rule names must be unique. This policy also contains one custom rule, at the top of this list, for remote SMB access. Instead, that can be tackled one by one as new server specific policies are created. NOTE: In a production environment, I would recommend not disabling local rules right away, as you most likely have local rules driving your services currently. Similarly to the client configuration, the firewall options are also configured to block inbound/allow outbound traffic by default for all profiles, and to prevent local rules from applying. It includes a number of builtin rules related to remote management of different services, all restricted to a single remote IP address.
The above is an example of what a top-level server firewall policy can look like.
0 kommentar(er)
