BIO 12.04.01 ISO A.12.4.1

Intune: Windows Firewall Public - Log Successful Connections

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Log successful Public firewall connections - audit trail of allowed traffic on public WiFi (forensics: 'what did laptop access on hotel WiFi?').

Aanbeveling
CONDITIONAL (if compliance requires)
Risico zonder
Low
Risk Score
3/10
Implementatie
5u (tech: 2u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Public WiFi successful logging = forensics: Use case: Incident investigation: 'Did compromised laptop exfiltrate data on airport WiFi?' β†’ check successful connections β†’ large transfer to unknown IP = YES, Compliance: Network access audit (PCI-DSS requires network logs), Data exfiltration detection: Successful connections to external IPs (SIEM alert on anomalies). Trade-off: HIGH log volume (every HTTPS, VPN, email connection logged) β†’ requires large log size (32MB+) + SIEM forwarding.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Log public successful: Policy: Log successful connections: Yes, Log volume: HIGH (all allowed traffic on public WiFi), Use case: Forensics, compliance, data exfiltration detection, SIEM: Forward to Log Analytics (filter anomalies - large transfers, unusual destinations).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Log size: 32MB+ (high volume)
  4. SIEM: Log Analytics (forward logs)
  5. Compliance: Network audit requirement

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Public Profile β†’ Log successful connections: Yes. Log size: 32MB+. Export: Log Analytics β†’ SIEM alerts (anomaly detection).

Compliance

ISO 27001 A.12.4.1, BIO 12.04, PCI-DSS Req. 10.2.

Monitoring

Gebruik PowerShell-script enable-public-network-firewall-enable-log-success-connections-is-set-to-enable-logging-of-successful-connections.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-public-network-firewall-enable-log-success-connections-is-set-to-enable-logging-of-successful-connections.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Public Log Success .DESCRIPTION CIS - Public success connections logging. .NOTES Filename: firewall-public-log-success.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Public LogAllowed|Expected: True #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Public"; $ExpectedValue = $true function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-public-log-success.ps1"; PolicyName = "Firewall Public Log Success"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogAllowed False } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.LogAllowed; if ($fw.LogAllowed -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Success logging enabled" }else { $r.Details += "Success logging: $($fw.LogAllowed)" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -LogAllowed True; Write-Host "Public success logging enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-NetFirewallProfile -Name $Profile -LogAllowed False } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: No successful logging = limited public WiFi forensics.

Management Samenvatting

Log Public firewall successful connections (optional). Forensics + compliance. HIGH volume β†’ SIEM required. Implementatie: 2-5 uur.