Merge Draft 0.9

Author: MichaelGrafnetter

.gitattributes

@@ -0,0 +1,2 @@
+# Force LF line endings on shell scripts, even in Windows.
+*.sh text eol=lf

.github/workflows/deploy-pages.yml

@@ -3,8 +3,12 @@ name: Deploy GitHub Pages
 on:
   push:
     branches: ["main"]
-
-  workflow_dispatch:
+    paths:
+        - README.md
+        - ADDS/README.md
+        - ADDS/GPOReport.html
+        - Generators/mkdocs/*
+        - .github/workflows/deploy-pages.yml
 
 permissions:
   contents: read
@@ -16,21 +20,46 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  deploy:
-    name: Deploy
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
+  build:
+    name: MKDocs Build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Setup Pages
+        id: setup
         uses: actions/configure-pages@v5
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+          cache: pip
+          cache-dependency-path: Generators/mkdocs/requirements.txt
+
+      - name: Install MKDocs
+        run: pip install mkdocs
+
+      - name: Build site with MKDocs
+        run: Generators/mkdocs/mkdocs.sh
+        env:
+          REPO_URL: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}
+          SITE_URL: ${{ steps.setup.outputs.base_url }}
+
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: ADDS/GPOReport.html
+          path: site
+    
+  deploy:
+    name: GitHub Pages Deployment
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4

.github/workflows/generate-whitepaper.yml

@@ -20,7 +20,7 @@ jobs:
         run: echo "date=$(date '+%B %e, %Y')" > $GITHUB_OUTPUT
 
       - name: Generate the whitepaper using Pandoc
-        uses: docker://pandoc/extra
+        uses: docker://pandoc/extra:3.1.1
         with:
           args: >-
             --output=Domain_Controller_Firewall.pdf
@@ -33,7 +33,7 @@ jobs:
             --toc-depth=2
             --number-sections
             --template=eisvogel
-            --lua-filter=pandoc.lua
+            --lua-filter=Generators/pandoc/pandoc.lua
             --variable=lof:true
             --variable=classoption:oneside
             --variable=geometry:a4paper,margin=2cm

.gitignore

@@ -1,2 +1,7 @@
+# Documents generated by Pandoc
 *.pdf
 *.docx
+
+# Website generated by MkDocs
+/docs/
+/site/

ADCS/StaticPorts.bat

@@ -0,0 +1,20 @@
+@ECHO OFF
+
+REM Author: Michael Grafnetter
+
+REM Reconfigure the CA to use port 10509/TCP for RPC traffic
+REM instead of a random port from the 49152-65535 dynamic range.
+reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}" /v Endpoints /d "ncacn_ip_tcp,0,10509" /t REG_MULTI_SZ /f
+
+REM Restart the service for the changes to apply
+net.exe stop CertSvc
+net.exe start CertSvc
+
+REM Required CA ports are now:
+REM 135/TCP   - RPC Endpoint Mapper
+REM 10509/TCP - Certificate Request RPC API
+REM 80/TCP    - HTTP CRL + OCSP
+REM 443/TCP   - HTTPS CA Web Enrolment
+
+REM Press any key...
+pause

ADDS/DCFWTool/CustomRules.Sample.ps1

@@ -0,0 +1,76 @@
+<#
+.SYNOPSIS
+Adds custom firewall rules to a pre-existing GPO session.
+
+.DESCRIPTION
+This script is not intended to be run directly. Instead, its relative path should be specified in the Set-ADDSFirewallPolicy.json configuration file.
+It is then executed by the main Set-ADDSFirewallPolicy.ps1 script.
+
+.PARAMETER GPOSession
+Specifies the network GPO session in which the rules are to be created. To load a GPO Session, use the Open-NetGPO cmdlet. To save a GPO Session, use the Save-NetGPO cmdlet.
+
+.PARAMETER DomainControllerAddresses
+List of domain controller IP addresses, between which replication traffic should be allowed.
+
+.PARAMETER RemoteManagementAddresses
+List of IP addresses from which inbound management traffic should be allowed. This list may optionally include the IP addresses of the domain controllers.
+
+.PARAMETER AllAddresses
+List of client IP adresses from which inbound traffic should be allowed. This list should include the IP addresses of the domain controllers and management systems.
+
+.NOTES
+Author:  Michael Grafnetter
+Version: 2.5
+
+#>
+
+#Requires -Modules NetSecurity
+#Requires -Version 5
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [string] $GPOSession,
+
+    [ValidateNotNullOrEmpty()]
+    [string[]] $ClientAddresses = @('Any'),
+
+    [ValidateNotNullOrEmpty()]
+    [string[]] $ManagementAddresses = @('Any'),
+
+    [ValidateNotNullOrEmpty()]
+    [string[]] $DomainControllerAddresses = @('Any'),
+
+    [ValidateNotNullOrEmpty()]
+    [string[]] $RemoteManagementAddresses = @('Any'),
+
+    [ValidateNotNullOrEmpty()]
+    [string[]] $AllAddresses = @('Any')
+)
+
+# Not all cmdlets inherit the -Verbose parameter, so we need to explicitly override it.
+[bool] $isVerbose = $VerbosePreference -eq [System.Management.Automation.ActionPreference]::Continue
+
+#region Custom Rules
+
+<#
+Feel free to add your custom firewall rules below to match your environment.
+#>
+
+# Create Inbound rule "File and Printer Sharing over SMBDirect (iWARP-In)"
+New-NetFirewallRule -GPOSession $gpoSession `
+                    -Name 'FPSSMBD-iWARP-In-TCP' `
+                    -DisplayName 'File and Printer Sharing over SMBDirect (iWARP-In)' `
+                    -Group 'File and Printer Sharing over SMBDirect' `
+                    -Description 'Inbound rule for File and Printer Sharing over SMBDirect to allow iWARP [TCP 5445]' `
+                    -Enabled False `
+                    -Profile Any `
+                    -Direction Inbound `
+                    -Action Allow `
+                    -Protocol TCP `
+                    -LocalPort 5445 `
+                    -RemoteAddress $AllAddresses `
+                    -Program 'System' `
+                    -Verbose:$isVerbose > $null
+
+#endregion Custom Rules

ADDS/DCFWTool/PolicyDefinitions/DomainControllerFirewall.admx

@@ -1,14 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--  (c) 2024 Michael Grafnetter  -->
 <policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.1" schemaVersion="1.0"
   xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xsi:schemaLocation="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions ../../ADMXSchema/PolicyDefinitionFiles.xsd">
   <policyNamespaces>
     <target prefix="dsinternals" namespace="DSInternals.Policies.Firewall" />
     <using prefix="windows" namespace="Microsoft.Policies.Windows" />
     <using prefix="dnsclient" namespace="Microsoft.Policies.DNSClient" />
   </policyNamespaces>
-  <resources minRequiredRevision="1.0" />
+  <resources minRequiredRevision="1.1" />
   <categories>
     <category name="RPCStaticPorts" displayName="$(string.RPCStaticPorts)" />
   </categories>
@@ -55,6 +55,20 @@
         <decimal id="RPCStaticPorts_NTFRS_Value" valueName="RPC TCP/IP Port Assignment" required="true" minValue="1024" maxValue="49151" />
       </elements>
     </policy>
+    <policy name="RPCStaticPorts_CertSvc" class="Machine" displayName="$(string.RPCStaticPorts_CertSvc)" explainText="$(string.RPCStaticPorts_CertSvc_Help)" key="SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}" presentation="$(presentation.RPCStaticPorts_CertSvc)">
+      <parentCategory ref="RPCStaticPorts" />
+      <supportedOn ref="windows:SUPPORTED_Win2k" />
+      <disabledList>
+        <item key="SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}" valueName="Endpoints">
+          <value>
+            <delete />
+          </value>
+        </item>
+      </disabledList>
+      <elements>
+        <multiText id="RPCStaticPorts_CertSvc_Value" valueName="Endpoints" required="true" maxStrings="1" />
+      </elements>
+    </policy>
     <policy name="DNS_Turn_Off_MulticastDNS" class="Machine" displayName="$(string.DNS_Turn_Off_MulticastDNS)" explainText="$(string.DNS_Turn_Off_MulticastDNS_Help)" key="SYSTEM\CurrentControlSet\Services\DNSCache\Parameters" valueName="EnableMDNS">
       <parentCategory ref="dnsclient:DNS_Client" />
       <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS1" />

ADDS/DCFWTool/PolicyDefinitions/en-US/DomainControllerFirewall.adml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--  (c) 2024 Michael Grafnetter  -->
 <policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.1" schemaVersion="1.0"
   xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xsi:schemaLocation="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions ../../../ADMXSchema/PolicyDefinitionFiles.xsd">
   <displayName>RPC Static Ports</displayName>
   <description>Remote Procedure Call Static Port Number Settings</description>
@@ -15,23 +15,31 @@ If you enable this policy setting and specify a static port number, Active Direc
 
 If you disable or do not configure this policy setting, Active Directory RPC will use a dynamic port for communication.
 
-Note that the NTDS service must be restarted for the new setting to become effective.</string>
+Note that the Active Directory Domain Services (NTDS) must be restarted for the new setting to become effective.</string>
         <string id="RPCStaticPorts_NETLOGON">Domain Controller: Netlogon static port</string>
         <string id="RPCStaticPorts_NETLOGON_Help">This policy setting allows you to configure a static port number for the Netlogon service on a domain controller.
 
 If you enable this policy setting and specify a static port number, the Netlogon service will use that port for communication.
 
 If you disable or do not configure this policy setting, the Netlogon service will use a dynamic port for communication.
 
-Note that the NTDS service must be restarted for the new setting to become effective.</string>
+Note that the Active Directory Domain Services (NTDS) must be restarted for the new setting to become effective.</string>
         <string id="RPCStaticPorts_NTFRS">Domain Controller: File Replication Service (FRS) static port</string>
         <string id="RPCStaticPorts_NTFRS_Help">This policy setting allows you to configure a static port number for the File Replication Service (FRS) on a domain controller.
 
 If you enable this policy setting and specify a static port number, the FRS will use that port for communication.
 
 If you disable or do not configure this policy setting, the FRS will use a dynamic port for communication.
 
-Note that the File Replication Service must be restarted for the new setting to become effective.</string>
+Note that the File Replication (NtFrs) service must be restarted for the new setting to become effective.</string>
+        <string id="RPCStaticPorts_CertSvc">Certification Authority: Certificate request RPC static port</string>
+        <string id="RPCStaticPorts_CertSvc_Help">This policy setting allows you to configure a static port number used by Active Directory Certificate Services to accept certificate requests.
+
+If you enable this policy setting and specify a static RPC over TCP endpoint, the CA will use it for communication. The required format of the endpoint is "ncacn_ip_tcp,0,PortNumber". The port number is recommended to be between 1024 and 49151, e.g., "ncacn_ip_tcp,0,10509".
+
+If you disable or do not configure this policy setting, the CA will use a dynamic port for RPC communication.
+
+Note that the Active Directory Certificate Services (certSvc) must be restarted for the new setting to become effective.</string>
       <string id="DNS_Turn_Off_MulticastDNS">Turn off Multicast DNS (mDNS) client</string>
       <string id="DNS_Turn_Off_MulticastDNS_Help">This policy setting allows you to turn off the Multicast DNS (mDNS) client.
 
@@ -49,6 +57,9 @@ If you disable or do not configure this policy setting, the Multicast DNS (mDNS)
       <presentation id="RPCStaticPorts_NTFRS">
         <decimalTextBox refId="RPCStaticPorts_NTFRS_Value" defaultValue="38903">Static port number:</decimalTextBox>
       </presentation>
+      <presentation id="RPCStaticPorts_CertSvc">
+        <multiTextBox refId="RPCStaticPorts_CertSvc_Value" defaultHeight="1">Static RPC endpoint:</multiTextBox>
+      </presentation>
     </presentationTable>
   </resources>
 </policyDefinitionResources>

ADDS/DCFWTool/RpcNamedPipesFilters.txt

@@ -1,6 +1,6 @@
 # Synopsis: This NETSH script is part of the Domain Controller Firewall project.
 # Author:   Michael Grafnetter
-# Version:  1.0
+# Version:  2.0
 # Usage:    netsh.exe -f RpcNamedPipesFilters.txt
 # Rollback: netsh.exe rpc filter delete filter filterkey=all
 # Check:    netsh.exe rpc filter show filter
@@ -96,9 +96,27 @@ add rule layer=um actiontype=block filterkey=0a239867-73db-45e6-b287-d006fe3c8b1
 add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
 add filter
 
+# Restrict [MS-FSRVP]: File Server Remote VSS Protocol, Named pipe: \PIPE\FssagentRpc
+# Limit access to Domain Admins only.
+add rule layer=um actiontype=permit filterkey=869a3c6c-60dd-4558-a58b-8d9e86b0da5f
+add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
+add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
+add filter
+
+# Block MS-FSRVP by default
+add rule layer=um actiontype=block filterkey=4bce314a-d956-41cf-86f1-75067362cae6
+add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
+add filter
+
 # Block [MS-DNSP]: Domain Name Service (DNS) Server Management Protocol, Named pipe: \PIPE\DNSSERVER
 # This rule only blocks RPC over Named Pipes, while RPC over TCP is still allowed.
 add rule layer=um actiontype=block filterkey=50754fe4-aa2d-42ff-8196-e90ea8fd2527
 add condition field=protocol matchtype=equal data=ncacn_np
 add condition field=if_uuid matchtype=equal data=50abc2a4-574d-40b3-9d66-ee4fd5fba076
 add filter
+
+# Block the MimiCom protocol used by Mimikatz
+rpc filter
+add rule layer=um actiontype=block filterkey=644291ca-9530-4066-b654-e7b838ebdc06
+add condition field=if_uuid matchtype=equal data=17FC11E9-C258-4B8D-8D07-2F4125156244
+add filter

ADDS/DCFWTool/Set-ADDSFirewallPolicy.Sample.json

@@ -2,13 +2,15 @@
     "$schema": "Set-ADDSFirewallPolicy.schema.json",
     "GroupPolicyObjectName": "Domain Controller Firewall",
     "GroupPolicyObjectComment": "This GPO is managed by the Set-ADDSFirewallPolicy.ps1 PowerShell script.",
+    "TargetDomain": "contoso.com",
     "LogDroppedPackets": true,
     "LogAllowedPackets": false,
     "LogFilePath": "%systemroot%\\system32\\logfiles\\firewall\\pfirewall.log",
     "LogMaxSizeKilobytes": 128,
     "ClientAddresses": [ "10.220.2.0/24", "10.220.4.0/24", "10.220.5.0/24", "10.220.6.0/24" ],
     "ManagementAddresses": [ "10.220.3.0/24" ],
     "DomainControllerAddresses": [ "10.220.1.0/24" ],
+    "RadiusClientAddresses": [ "10.220.1.12/32", "10.220.1.13/32" ],
     "NtdsStaticPort": 38901,
     "NetlogonStaticPort": 38902,
     "FrsStaticPort": 38903,
@@ -17,6 +19,7 @@
     "DisableNetbiosBroadcasts": true,
     "DisableLLMNR": true,
     "DisableMDNS": true,
+    "BlockManagementFromDomainControllers": false,
     "EnableServiceManagement": true,
     "EnableEventLogManagement": true,
     "EnableScheduledTaskManagement": true,
@@ -33,8 +36,17 @@
     "EnableNetbiosDatagramService": false,
     "EnableNetbiosSessionService": false,
     "EnableWINS": false,
+    "EnableDhcpServer": false,
+    "EnableNPS": false,
+    "EnableKMS": false,
+    "EnableWSUS": false,
+    "EnableWDS": false,
+    "EnableWebServer": false,
+    "EnableFSRMManagement": false,
+    "EnablePrintSpooler": false,
     "EnableNetworkProtection": true,
     "BlockWmiCommandExecution": true,
     "EnableRpcFilters": true,
-    "EnableLocalIPsecRules": false
-}
+    "EnableLocalIPsecRules": false,
+    "CustomRuleFileNames": null
+}