L1 BIO 13.01.01 ISO A.13.1.1 CIS Windows - Firewall public

Intune: Windows Firewall Public Profile Enabled

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Enable Windows Firewall Public Profile - **CRITICAL** defense voor public WiFi (airport, hotel, coffee shop = hostile networks).

Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Public WiFi = extreme threat: Public network risks: Packet sniffing (attacker captures traffic), MITM attacks (fake WiFi APs), Rogue devices (attacker on same network scans your laptop), No trust: Anyone can be attacker. Public profile firewall: Most restrictive settings (block almost EVERYTHING inbound), Critical voor: Laptops (travel), Remote workers (coffee shops). Attack: Airport WiFi β†’ attacker scans 445/SMB β†’ WITHOUT firewall: access attempt succeeds, WITH firewall: blocked (invisible to attacker).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Public profile: Triggered when: Unknown network (not domain, not designated 'private'), Settings: Firewall: ON (enabled), Default inbound: BLOCK ALL (strictest), Default outbound: Allow (web browsing works), Exceptions: MINIMAL (only essential - VPN client).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Laptops (priority - travel users)

Implementatie

Intune Settings Catalog: Windows Firewall β†’ Public Profile β†’ Enable Firewall: ON (True). Default inbound: Block. CRITICAL voor laptops. Test: Public WiFi β†’ verify firewall active.

Compliance

CIS Windows Benchmark L1 (CRITICAL), Microsoft Security Baseline, BIO 13.01, ISO 27001 A.13.1.1, NIS2 Art. 21.

Monitoring

Gebruik PowerShell-script enable-public-network-firewall-is-set-to-true.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script enable-public-network-firewall-is-set-to-true.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Windows Firewall: Public Profile Enabled .DESCRIPTION CIS - Public firewall MOET enabled (kritisch!). .NOTES Filename: firewall-public-enabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|NetSH: Public Enabled|Expected: True #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $Profile = "Public"; $ExpectedValue = $true function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "firewall-public-enabled.ps1"; PolicyName = "Firewall Public Enabled"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Write-Host "WARNING: Not disabling public firewall" } try { $fw = Get-NetFirewallProfile -Name $Profile -ErrorAction SilentlyContinue; if ($fw) { $r.CurrentValue = $fw.Enabled; if ($fw.Enabled -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Public firewall enabled" }else { $r.Details += "Public firewall disabled - CRITICAL RISK" } }else { $r.Details += "Profile niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-NetFirewallProfile -Name $Profile -Enabled True; Write-Host "Public firewall enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Write-Host "WARNING: Not disabling public firewall" } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK: Public WiFi zonder firewall = direct network attacks (laptop exposed).

Management Samenvatting

Enable Windows Firewall Public Profile. PUBLIC WIFI DEFENSE. Laptops priority. Zero business impact. Implementatie: 1-2 uur.