0

Please Note: I'm a novice with Windows Security concepts. Please correct me if I'm not using the right terms as it'll help me improve my google searches.

I'm trying to take the recommended actions to address STIG finding V-17442 (in a nutshell, STIGs are guidelines for how to configure my PC to be cybersecurity compliant; this particular STIG is a rule for firewall settings). If you follow that link, there is a "Fix Text" that describes what to do to be compliant:

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Windows Firewall Properties (this link will be in the right pane) -> Public Profile Tab -> Settings (select Customize) -> Rule merging, "Apply local firewall rules:" to "No".

I need to perform this action using a PowerShell script (i.e., from command line, not GUI).

I tried using the Set-NetFirewallProfile command to do this:

Set-NetFirewallProfile -Profile Public -AllowLocalFirewallRules False

But it appears to affect the "Local Firewall Settings" but not the "Firewall Policy Settings". I put these terms in quotes because I made them up and am unsure if there are already names for them. Please note:

  • By "Local Firewall Settings", I'm referring to the settings that are accessed by going to: Control Panel > System and Security > Windows Defender Firewall > Advanced settings (on the left). You will see: Local Firewall Settings
  • By "Firewall Policy Settings", I'm referring to the policy settings that are configured by going to: gpedit.msc (run as Admin) > Computer Configuration > Windows Settings > Security Settings > "Windows Defender Firewall with Advanced Security - Local Group Policy Object"

So some questions come to mind:

  1. How do the Firewall Policy Settings affect Local Firewall Settings (If they do at all)?
  2. (To close this question) How do I change Firewall Policy Settings to set "Apply local firewall rules" to "No" using powershell? By using the Secpol utility?
Improve this question
3
  • is your machine joined to a domain?
    – Narzard
    Commented Jun 28, 2023 at 16:48
  • @Narzard No. But would the solution be different if it were? The (development) machine I'm testing commands on is joined to a domain.
    – Minh Tran
    Commented Jun 28, 2023 at 17:06
  • Yes - this applies to domain only joined machines. This stig basically tells the machine to always use the group policy setting for the public firewall pushed from the domain controller instead of being able to be configured locally.
    – Narzard
    Commented Jun 28, 2023 at 18:15

1 Answer 1

Reset to default
0

The stig you linked mentions If the system is not a member of a domain, this is NA, so it should not apply to your target machine. For domain-joined machines, you would set this via a central Group Policy.

If you just want the stig check to come back happy:

  • Manually follow the gpedit.msc steps you have on one machine
  • Export the local group policy, security configuration, and audit policy settings: Guide here
  • Copy and import the settings on off-domain machines
Improve this answer
1
  • To address this STIG, I had to modify the Firewall Policy Setting for the Public profile. This is done by exporting the local group policy (LGPO.exe /b), converting the machine policy file (.pol) into human-readable text format (LGPO.exe /parse /m), setting the "Software\Policies\Microsoft\WindowsFirewall\PublicProfile" key "AllowLocalPolicyMerge" DWORD value to "0" (corresponding to "No"). I then reapplied the policies from this textfile using (LGPO.exe /t).
    – Minh Tran
    Commented Jul 5, 2023 at 20:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .