Windows Firewall Dynamic IP Blocking
How-To Guide

Author: Chris Huey
Date: December 29, 2022

This chueyise.com article provides a solution to monitor the Windows event logs for failed events and dynamically block source IP addresses within the log.

The described solution monitors the Windows event log for failed Remote Desktop Service logons and immediately configures the Windows firewall to block the external source.  If desired, the solution can be adapted to monitor any failed network-related events and block it’s source.

Solution Summary

  • Enable Windows auditing for logon events
  • Develop a custom powershell script to perform the following functions:
  • Create a custom Windows Defender Firewall ‘block’ rule (if one does not already exist from previous run);
  • Retrieve the last five (5) minutes of failed logon event logs
  • Parse any retrieved logs for records with an external Source Network Address
  • If found, add the external Source Network Address(es) to the ‘block’ rule
  • Send an alert for the event (the example powershell script below uses Slack)
  • Clear the addresses ‘block’ rule if no failed logon events identified in the last five (5) minutes
  • Create a Windows Scheduled Task to immediately execute the custom powershell script when an audit log is generated for failed logons

Prerequisites

  • A publicly facing service requiring authenticated access is enabled and fully functional
  • The Windows Defender Firewall with Advanced Security service is enabled and fully functional

Enable Windows Auditing for Logon Events

As a user with Administrator rights, from the Start menu enter gpedit and select Edit group policy.  Traverse to

  • Computer Configuration >>
  • Windows Settings >>
  • Security Settings >>
  • Advanced Audit Policy Configuration >>
  • System Audit Policies – Local Group Policy Object >>

and enable Audit Logon for Success and Failure.

Figure 1 - Windows Auditing for Logon Events

Create the Custom Powershell Script

Create a powershell script and save the file in a location only accessible by users assigned to the Administrators group.  For this guide, the file is named FW-Blocker.ps1 and a working example (with comments explaining the code) is provided below.

Raw Sample Script

Create the Scheduled Task

  • From the Start menu, enter Task Scheduler and Run as administrator (Figure 2)
  • Under Task Scheduler (Local), expand Task Scheduler Library and choose New Folder from the Action drop-down.
  • Enter Security Monitoring as the name and click OK.
  • Right-click on the Security Monitoring folder and select Create Task. (Figure 3)
  • In the General tab, configure the settings using Figure 4  as a guide.  For the user account, select a user with administrator privileges.
Figure 2 - Task Scheduler
Figure 3 - Create Task in Task Scheduler
Figure 4 - Task General Settings
  • In the Triggers tab, select New and configure the settings using Figure 5 as a guide.  The optional Repeat task every 15 minutes for a duration of 30 minutes allows the custom powershell script to clear the IPs in the firewall rule after 15 minutes when the potential attack was detected. This is useful for clearing blocks accidentally caused by you and for clearing proxied sources.
  • In the Actions tab, select New and configure the settings using Figure 6 as a guide. The Program/script field must include the full path to the powershell.exe program. The Add arguments field must contain -File [full path to the FW-Blocker.ps1 file].
    Example:
    Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Add arguments: -File C:\users\adminuser\FW-Blocker.ps1

    • The settings within the Conditions and Settings tab can remain as default or tailored to meet your needs.
    Figure 5 - Task Trigger Settings
    Figure 6 - Task Action Settings

    Verify the Deployed Firewall Rule

    Run the powershell script as a user with Administrator rights to verify it runs with no errors. The first valid run will create the  Windows Firewall rule depicted in Figures 7 thru 11. From the Start menu, enter Firewall, select Windows Defender Firewall with Advanced Security, and Run as administrator. Expand the Inbound Rules and double click on the RDP Block rule.

    IMPORTANT: Be sure to refresh the firewall to see any dynamic changes applied to the rules.  Right-click on Inbound Rules and select Refresh.

    NOTE: At least one IP must exist in the Remote IP address section in order to dynamically add nefarious IP addresses. IP address 1.1.1.1 will always exist by default.

    Figure 7 - Firewall General Settings
    Figure 8 - Firewall Port Settings
    Figure 9 - Firewall Advanced Settings
    Figure 10 - Firewall Service Settings
    Figure 11 - Remote IP Addresses Setting

    Additional References

    chris.huey@chueyise.com

    www.chueyise.com