Release 1.0 (#3)

- Implemented code signing
- Finalized the documentation
- Improved script logic

Author: MichaelGrafnetter

.github/workflows/deploy-pages.yml

@@ -38,9 +38,6 @@ jobs:
           cache: pip
           cache-dependency-path: Generators/mkdocs/requirements.txt
 
-      - name: Install MKDocs
-        run: pip install mkdocs
-
       - name: Build site with MKDocs
         run: Generators/mkdocs/mkdocs.sh
         env:

.github/workflows/generate-whitepaper.yml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
       - 'ADDS/README.md'
+      - Generators/pandoc/*
       - '.github/workflows/generate-whitepaper.yml'
 
 jobs:
@@ -20,33 +21,23 @@ jobs:
         run: echo "date=$(date '+%B %e, %Y')" > $GITHUB_OUTPUT
 
       - name: Generate the whitepaper using Pandoc
-        uses: docker://pandoc/extra:3.1.1
+        uses: docker://pandoc/extra:3.5.0
         with:
           args: >-
             --output=Domain_Controller_Firewall.pdf
-            --from=markdown
-            --to=pdf
             --pdf-engine=xelatex
+            --template=eisvogel
+            --resource-path="ADDS:/.pandoc/templates"
+            --lua-filter=Generators/pandoc/pandoc.lua
+            --include-in-header=Generators/pandoc/header.tex
+            --metadata-file=Generators/pandoc/metadata.yml
             --shift-heading-level-by=-1
             --top-level-division=section
             --table-of-contents
             --toc-depth=2
             --number-sections
-            --template=eisvogel
-            --lua-filter=Generators/pandoc/pandoc.lua
-            --variable=lof:true
-            --variable=classoption:oneside
-            --variable=geometry:a4paper,margin=2cm
-            --variable=colorlinks:true
             --variable=linkcolor:"[HTML]{4077C0}"
-            --variable=titlepage:true
-            --variable=titlepage-rule-color:de0000
-            --variable=titlepage-rule-height:40
-            --variable=header-includes:"\usepackage{sectsty} \sectionfont{\clearpage}"
-            --variable=caption-justification:centering
-            --variable=listings-disable-line-numbers:true
             --metadata date="${{ steps.get_date.outputs.date }}"
-            --resource-path="ADDS:/.pandoc/templates"
             ADDS/README.md
 
       - name: Publish the whitepaper as artifact

.github/workflows/sign-scripts.yml

@@ -0,0 +1,56 @@
+name: Sign PowerShell Scripts
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - 'ADDS/DCFWTool/*.ps1'
+      - '.github/workflows/sign-scripts.yml'
+
+permissions:
+  id-token: write
+
+jobs:
+  sign:
+    name: Sign and Publish Scripts
+    runs-on: windows-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v4
+
+      - name: Install Azure KeyVault Code Signing Tool
+        shell: cmd
+        run: dotnet tool install --global AzureSignTool
+      
+      - name: Azure Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.SIGNING_CLIENT_ID }}
+          tenant-id: ${{ secrets.SIGNING_TENANT_ID }}
+          allow-no-subscriptions: true
+
+      - name: Sign PowerShell scripts
+        shell: cmd
+        env:
+          SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }}
+          SIGNING_CERTIFICATE_NAME: ${{ secrets.SIGNING_CERTIFICATE_NAME }}
+        working-directory: ADDS/DCFWTool
+        timeout-minutes: 1
+        run: |
+          for /f %%i in ('az account get-access-token --resource "https://vault.azure.net" --query accessToken --output tsv') do set KEYVAULT_TOKEN=%%i
+          AzureSignTool sign ^
+          Set-ADDSFirewallPolicy.ps1 ^
+          Show-WindowsFirewallLog.ps1 ^
+          --file-digest sha256 ^
+          --timestamp-digest sha256 ^
+          --timestamp-rfc3161 http://timestamp.digicert.com ^
+          --azure-key-vault-url "%SIGNING_VAULT_URL%" ^
+          --azure-key-vault-accesstoken "%KEYVAULT_TOKEN%" ^
+          --azure-key-vault-certificate "%SIGNING_CERTIFICATE_NAME%"
+    
+      - name: Upload PowerShell scripts as Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: DCFWTool
+          path: ADDS/DCFWTool

.gitignore

@@ -5,3 +5,6 @@
 # Website generated by MkDocs
 /docs/
 /site/
+
+# Python virtual environment
+/venv/

.markdownlint.json

@@ -0,0 +1,12 @@
+{
+    "$schema": "https://raw.githubusercontent.com/DavidAnson/markdownlint/main/schema/markdownlint-config-schema.json",
+    "MD007": {
+        "$comment": "Increase unordered list indentation for MkDocs compatibility.",
+        "indent": 4
+    },
+    "MD013": {
+        "$comment": "Allow long lines for code blocks.",
+        "line_length": 120,
+        "tables": false
+    }
+}

ADDS/DCFWTool/CustomRules.Sample.ps1

@@ -20,7 +20,7 @@ List of client IP adresses from which inbound traffic should be allowed. This li
 
 .NOTES
 Author:  Michael Grafnetter
-Version: 2.5
+Version: 2.6
 
 #>
 
@@ -32,12 +32,6 @@ param(
     [Parameter(Mandatory = $true)]
     [string] $GPOSession,
 
-    [ValidateNotNullOrEmpty()]
-    [string[]] $ClientAddresses = @('Any'),
-
-    [ValidateNotNullOrEmpty()]
-    [string[]] $ManagementAddresses = @('Any'),
-
     [ValidateNotNullOrEmpty()]
     [string[]] $DomainControllerAddresses = @('Any'),
 
@@ -58,7 +52,7 @@ Feel free to add your custom firewall rules below to match your environment.
 #>
 
 # Create Inbound rule "File and Printer Sharing over SMBDirect (iWARP-In)"
-New-NetFirewallRule -GPOSession $gpoSession `
+New-NetFirewallRule -GPOSession $GPOSession `
                     -Name 'FPSSMBD-iWARP-In-TCP' `
                     -DisplayName 'File and Printer Sharing over SMBDirect (iWARP-In)' `
                     -Group 'File and Printer Sharing over SMBDirect' `

ADDS/DCFWTool/RpcNamedPipesFilters.txt

@@ -1,6 +1,6 @@
 # Synopsis: This NETSH script is part of the Domain Controller Firewall project.
 # Author:   Michael Grafnetter
-# Version:  2.0
+# Version:  2.1
 # Usage:    netsh.exe -f RpcNamedPipesFilters.txt
 # Rollback: netsh.exe rpc filter delete filter filterkey=all
 # Check:    netsh.exe rpc filter show filter
@@ -96,18 +96,6 @@ add rule layer=um actiontype=block filterkey=0a239867-73db-45e6-b287-d006fe3c8b1
 add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
 add filter
 
-# Restrict [MS-FSRVP]: File Server Remote VSS Protocol, Named pipe: \PIPE\FssagentRpc
-# Limit access to Domain Admins only.
-add rule layer=um actiontype=permit filterkey=869a3c6c-60dd-4558-a58b-8d9e86b0da5f
-add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
-add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
-add filter
-
-# Block MS-FSRVP by default
-add rule layer=um actiontype=block filterkey=4bce314a-d956-41cf-86f1-75067362cae6
-add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
-add filter
-
 # Block [MS-DNSP]: Domain Name Service (DNS) Server Management Protocol, Named pipe: \PIPE\DNSSERVER
 # This rule only blocks RPC over Named Pipes, while RPC over TCP is still allowed.
 add rule layer=um actiontype=block filterkey=50754fe4-aa2d-42ff-8196-e90ea8fd2527

ADDS/DCFWTool/Set-ADDSFirewallPolicy.ps1

@@ -18,7 +18,7 @@ Online documentation: https://github.com/MichaelGrafnetter/active-directory-fire
 
 .NOTES
 Author:  Michael Grafnetter
-Version: 2.5
+Version: 2.7
 
 #>
 
@@ -254,14 +254,18 @@ if($configuration.EnableNetbiosNameService -or $configuration.EnableNetbiosDatag
     Write-Warning -Message 'NetBIOS is a legacy protocol and should be disabled in modern networks.'
 }
 
-if(-not($configuration.DisableLLMNR -and $configuration.DisableMDNS -and $configuration.DisableNetbiosBroadcasts)) {
-    Write-Warning -Message 'Only the DNS protocol should be used for name resolution in modern networks.'
+if(-not($configuration.DisableLLMNR -and $configuration.DisableMDNS)) {
+    Write-Warning -Message 'Only the DNS protocol should be used for name resolution in modern networks. Protocols using distributed name resolution, including LLMNR and mDNS, should be disabled on DCs.'
 }
 
 if(-not($configuration.LogMaxSizeKilobytes -ge 16384 -and $configuration.LogDroppedPackets -and $configuration.LogAllowedPackets)) {
     Write-Warning -Message 'The firewall log settings do not meet the standardized security baselines.'
 }
 
+if($configuration.BlockWmiCommandExecution -eq $true) {
+    Write-Warning -Message 'SCCM client and DP do not work properly on systems where command execution over WMI is blocked.'
+}
+
 #endregion Configuration Validation
 
 #region Create and Configure the GPO
@@ -1697,44 +1701,6 @@ Save-NetGPO -GPOSession $gpoSession
 
 #region Registry Settings
 
-# Set the Delivery Optimization Download Mode to Simple
-# DCs should not be downloading updates from peers.
-Set-GPRegistryValue -Guid $gpo.Id `
-                    -Key 'HKLM\Software\Policies\Microsoft\Windows\DeliveryOptimization' `
-                    -ValueName 'DODownloadMode' `
-                    -Value 99 `
-                    -Type DWord `
-                    -Domain $domain.DNSRoot `
-                    -Server $targetDomainController `
-                    -Verbose:$isVerbose > $null
-
-# Set Allow Telemetry to Security [Enterprise Only]
-Set-GPRegistryValue -Guid $gpo.Id `
-                    -Key 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection' `
-                    -ValueName 'AllowTelemetry' `
-                    -Value 0 `
-                    -Type DWord `
-                    -Domain $domain.DNSRoot `
-                    -Server $targetDomainController `
-                    -Verbose:$isVerbose > $null
-
-# Turn off Application Telemetry
-Set-GPRegistryValue -Guid $gpo.Id `
-                    -Key 'HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat' `
-                    -ValueName 'AITEnable' `
-                    -Value 0 `
-                    -Type DWord `
-                    -Domain $domain.DNSRoot `
-                    -Server $targetDomainController `
-                    -Verbose:$isVerbose > $null
-
-<#
-TODO: Add more registry settings
-- OneSettings
-- Allow Diagnostic Data to Disabled.
-  Administrative Template > Windows Components > Data Collection and Preview Builds
-#>
-
 # Prevent users and apps from accessing dangerous websites
 # (Enables Microsoft Defender Exploit Guard Network Protection)
 # This might block some Internet C2 traffic.

ADDS/DCFWTool/Undo-ADDSFirewallPolicy.bat

@@ -0,0 +1,49 @@
+@ECHO OFF
+REM Synopsis: This script resets the unmanaged domain controller policy settings to their default values.
+REM           It is intended to be executed locally on all domain controllers in the domain.
+REM Author:   Michael Grafnetter
+REM Version:  1.0
+
+gupdate /force
+
+echo Make sure that GPO settings are applied.
+gpupdate.exe /Target:Computer
+
+echo Move the WMI service into the shared Svchost process.
+winmgmt.exe /sharedhost
+
+echo Configure the DFS Replication service to use a dynamic RPC port.
+dfsrdiag.exe StaticRPC /Port:0
+
+echo Remove all RPC filters.
+netsh.exe rpc filter delete filter filterkey=all
+
+echo Configure the Active Directory service to use a dynamic RPC port.
+reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "TCP/IP Port" /f
+
+echo Configure the Netlogon service to use a dynamic RPC port.
+reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /DCTcpipPort /f
+
+echo Configure the legacy FRS service to use a dynamic RPC port.
+reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters" /v "RPC TCP/IP Port Assignment" /f
+
+echo Reset mDNS settings.
+reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v EnableMDNS /f
+
+echo Reset ICMP settings.
+reg.exe delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /f
+reg.exe delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v PerformRouterDiscovery /f
+reg.exe delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /f
+reg.exe delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" /v DisableIPSourceRouting /f
+
+echo Reset NetBIOS settings.
+reg.exe delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v NoNameReleaseOnDemand /f
+reg.exe delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" /v NodeType /f
+
+echo Restart the NTDS service.
+net.exe stop NTDS
+net.exe start NTDS
+
+echo Restart the NtFrs service.
+net.exe stop NtFrs
+net.exe start NtFrs