How to enforce firewall requirements on UserLock Server and protected machines
This step by step guide will show you how to:
- Configure Windows Firewall for a single computer.
- Configure Windows Firewall rules with GPOs.
Configure Windows Firewall for a single computer:
Here we will see how to create inbound Firewall rules on UserLock server and protected machines
File and Printer Sharing
Remote registry service /!\ Only on machines where the UserLock agent is to be installed.
Advanced configuration to allow file and printer sharing and remote registry only between UserLock server and protected machines:
Edit each rule created before ("File and Printer Sharing (Echo Request - ICMPv4-In)", "File and Printer Sharing (Echo Request - ICMPv6-In)" and "File and Printer Sharing (SMB-In)") and specify in scope tab the "Source" (local IP Address) and the "target" (Remote IP address).
Configure addresses in firewall rules of the UserLock server:
In Local IP Address : add the IP Address(es) of UserLock server(s)
In Remote IP Address :
As you can see there are multiple options:
In the below example, set an IP Range which can be assigned to protected machines
Configure addresses in firewall rules of protected machines:
In Local IP Address : In the below example, set the same IP range which can be assigned to protected machines.
In Remote IP address : add IP address(es) of UserLock server(s)
Configure Windows Firewall rules with GPOs:
To apply advanced rules on UserLock server and on protected machines, we need to create 2 GPO.
1 GPO for UserLock server
1 GPO for Protected machines
For both GPOs:
- Edit GPO.
- Browse "Computer Configuration", "Policies", "Windows Settings", "Security Settings", "Windows Defender Firewall with Advanced Security", "Windows Defender Firewall with Advanced Security - ...", "Inbound Rules".
- For every rule to create (see above to see which rules to create for the UserLock server and which rules to create for the protected machines): right click, "New Rule...", then follow the wizard as described above.
UserLock server GPO:
Protected machines GPO: