Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 40102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Firewall Rules

Yabusame

Hi all,

I'm wanting to really lock down on my Windows firewall rules.  On endpoints that are running Sophos Endpoint Security & Control 9.5, I have the following rules (it is the same for both inbound & outbound):

  • NAME - SOPHOS - RouterNT
  • ACTION - Allow the connection
  • PROGRAM - %ProgramFiles% (x86)\Sophos\Remote Management System\RouterNT.exe
  • SERVICES - Apply to all programs and services
  • PROTOCOLS & PORTS - Protocol Type - Any
  • SCOPE - Local IP Address - Any IP Address  Remote IP Address - Any IP Address
  • ADVANCED PROFILES - Domain
  1. I want to harden the rules so what is recommended?
  2. Is this rule only needed for outbound and not inbound rules (or vice versa)?
  3. Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?
  4. Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?
  5. Should I specify the Sophos server in Authorized Computers rather than in the Scope?
Many questions and I'm sure more will arise, so thanks in advance to any that reply.
:10263


This thread was automatically locked due to age.
Parents
  • 0

    Is the host(s) reporting to a SUM or directly to the Enterprise Console server? It seems to me that you have already kind of answered your own questions in a way. Not much else you could do to lock down the ruleset.

    These rules above do apply to Windows Firewall settings. These are the ports that RouterNT.exe will use.

    1. I want to harden the rules so what is recommended?

    Lock down the rule by explicit assignment of the destination ip.
     

      2. Is this rule only needed for outbound and not inbound rules (or vice versa)?

    I believe the 8192 - 8194 ports are used for inbound and outbound

      3. Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?

    Could just use LOCALHOST and, yes the sophos server as the destination.

      4. Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?

    Yes you can. Sophos does not use UDP protocol for these ports.

      5. Should I specify the Sophos server in Authorized Computers rather than in the Scope?

    Either or both.

    :10311
Reply
  • 0

    Is the host(s) reporting to a SUM or directly to the Enterprise Console server? It seems to me that you have already kind of answered your own questions in a way. Not much else you could do to lock down the ruleset.

    These rules above do apply to Windows Firewall settings. These are the ports that RouterNT.exe will use.

    1. I want to harden the rules so what is recommended?

    Lock down the rule by explicit assignment of the destination ip.
     

      2. Is this rule only needed for outbound and not inbound rules (or vice versa)?

    I believe the 8192 - 8194 ports are used for inbound and outbound

      3. Should I specify Local IP Address as the endpoint and the Remote IP Address as the Sophos server?

    Could just use LOCALHOST and, yes the sophos server as the destination.

      4. Can I restrict the protocols to TCP on local & remote ports 8192-8194 (or other)?

    Yes you can. Sophos does not use UDP protocol for these ports.

      5. Should I specify the Sophos server in Authorized Computers rather than in the Scope?

    Either or both.

    :10311
Children
No Data