BIO 12.04.01 ISO A.12.4.1

Intune: Windows Firewall Domain - Log Successful Connections

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Log successful firewall connections - audit trail of ALLOWED traffic (forensics: 'which system accessed what?').

Aanbeveling
CONDITIONAL (if compliance requires)
Risico zonder
Low
Risk Score
3/10
Implementatie
5u (tech: 2u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Successful connection logging = audit trail: Dropped packets: Attack attempts (logged by default - CRITICAL), Successful connections: Legitimate traffic (optional maar useful), Use case: Forensics: 'Did workstation A access file server B at 2 AM?' (suspicious), Compliance: Network access audit trail (who accessed what, when), Data exfiltration: Large transfers to external IP (successful connections logged β†’ SIEM alert). Trade-off: Log volume: Successful connections = HIGH volume (every SMB, HTTP, RDP session), Disk space: Requires large log files (16MB+) + rotation, SIEM: Forward to Log Analytics (long-term retention).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Log successful connections: Policy: Log successful connections: Yes, Log format: Date, time, action (ALLOW), protocol, src/dst IPs, ports, Volume: HIGH (all allowed traffic logged - filter in SIEM), Use case: Forensics, compliance audits, data exfiltration detection.

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Log size: 32MB+ (high volume), SIEM: Log Analytics (forward logs - disk space management)
  4. Compliance: Network audit trail requirement

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Domain Profile β†’ Log successful connections: Yes. Combined: Log size 32MB+, Export logs to Log Analytics (SIEM). Filter: SIEM rules (alert on anomalies - large transfers, unusual destinations).

Compliance

ISO 27001 A.12.4.1 (Event logging), BIO 12.04, PCI-DSS Req. 10.2 (Network logs).

Monitoring

Gebruik PowerShell-script enable-domain-network-firewall-enable-log-success-connections-is-set-to-enable-logging-of-successful-connections.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-domain-network-firewall-enable-log-success-connections-is-set-to-enable-logging-of-successful-connections.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Domain Log Success Connections .DESCRIPTION CIS - Firewall moet successful connections loggen. .NOTES Filename: firewall-domain-log-success.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Domain Profile LogAllowedConnections|Expected: True #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Domain"; $ExpectedValue = $true function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-domain-log-success.ps1"; PolicyName = "Firewall Domain Log Success"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogAllowed False } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.LogAllowed; if ($fw.LogAllowed -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Success logging enabled" }else { $r.Details += "Success logging: $($fw.LogAllowed)" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -LogAllowed True; Write-Host "Domain success connections logging enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogAllowed False } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: No successful logging = limited forensics (dropped packets sufficient for security).

Management Samenvatting

Log firewall successful connections (optional). Forensics + compliance audit trail. HIGH log volume β†’ SIEM required. Compliance-driven. Implementatie: 2-5 uur.