All of these methods involve "Exporting" which makes a file with all your settings. You can then save this, then "Import" it in the destination VM.
Chapter Two: Firewall Importing/Exporting
Luckily, Windows Firewall can also be imported and exported to, just like in Local Security Policy.
If you open "Windows Defender Firewall with Advanced Security" (Just search firewall and click the long name), you'll be able to right click as shown in the image and Import/Export to other systems.
Step One: Delete All Existing Rules - First just do a good 'ol "CTRL+A" to select all rules, and delete them all (do this for inbound and outbound rules). The reason you can delete them all is because as long as your firewall is on, there should be no inbound "holes", and all outbound traffic is implicitly allowed, so all "Allow" rules for that are useless.
Step Two: Make a TCP Rule - Make a new rule (Right click, new rule). Check the "Port" option, because we want to block ports. Ports are numbers used to say what can go through, like EMail or web browsing.
Select "TCP" and under specific remote ports put "20,21,23,25,69,110,137-139,445". This includes many insecure protocols, such as FTP, Telnet, EMail, TFTP, NetBios, and SMB. These ports are commonly seen as important to close because they are commonly insecure.
Then go through the menu, selecting "Block the connection" and applying it to all networks (Domain, Private, and Public) because we want it to always be on. Name it "Block TCP Ports"
Step Three: Make a UDP Rule - Go through the rule-adding process again, but this time, select "UDP" and for specific remote ports put the same numbers as before. Some of these are only one or the other (TCP or UDP), but it's fine to block it on both. Name this "Block UDP ports".
Step Four: Export your template (Shown in image above) -
Right click in the place shown in the image above
and click "Export Policy". This makes a text file holding all your cool rules.
Step Five: Import your template -
Move your rules file to a new computer (you could use DataDeer Share
), then right click in the same place
and click "Import Policy". Then, your rules will be applied.
Chapter Three: Services Importing/Exporting
Exporting Services is a bit harder than the other ones, but not too bad.
Step One: Open "Security Templates" -
Open MMC (Search it in the taskbar), then go to "File > Add/Remove Snap In".
Scroll to then select Security Templates, then click "Add". Once it's on the right side, click "OK". You then see in MMC you have a tab called "Security Templates".
Step Two: Open a Template -
In your tool, right click "Security Templates" and click "New Template Search Path". Then, choose the directory your templates are/will be in (such as your Desktop).
You can then either open a template (.inf file) you have already made (Such as in Chapter One
), or just make a new template (Right click, new template).
Step Three: Change the template -
In the template, open the System Services page. Here, you can set services' startup type.
Services have four startup types:
- Automatic: The service is always running, and starts in bootup.
- Automatic (Delayed Start): The service is always running, but starts later to speed up startup.
- Manual: The service is only running when it's needed. An example of this is Windows Backup, which only runs during backups.
- Disabled: The service never runs, even when requested. This could cause dependency problems.
Some services you could set include:
- Print Spooler: Disable - This service is used by printers, which could be used for sharing confidential information.
- Fax: Disable - The fax service could be used for sharing confidential information.
- SNMP Trap: Disable - This service is used for getting EMail, which could leak confidential information.
- Xbox Services: Disable - These could be used for unnecessary gaming. There are about 5 of them.
- Windows Update: Automatic - This is vital for security.
- DNS Client: Automatic - This is necessary for caching DNS, which can improve internet speeds.
Step Four: Export the template -
To export the template, right click it, then click "Save As". You can save this to your Desktop.
Step Five: Import the template -
Open SecPol (Search it in the taskbar), then click "Action > Import Policy",
as shown in the image to the left
Chapter Five: Reviewing Templates
Reviewing templates is optional, but if you have multiple conflicting templates, it can be helpful.
You can compare the template to your currently applied settings, and see how they differ.
Step One: Open Security Configuration and Analysis -
SCA is a snap-in, so to open it, open MMC (search it in the taskbar) and click
"File > Add/Remove Snap-in" (as shown in the image
. Then add the "Security Configuration and Analysis" snap in by scrolling to it, clicking it, then clicking "Add". Once you added it, click "OK".
Step Two: Make a new Database -With the snap-in opened, this is where it starts to get confusing, so listen closely, and read ahead before starting. Right click it, and click "Open Database".
Make a database on your Desktop by making up a new name, such as "asdf.sdb", and click "Open". You don't need to find an existing database.
If you want to import more templates, right click the "Security Configuration and Analysis" again, and click "Import Template".
Step Four: Analyze the template -
Right click the "Security Configuration Analysis" again, and click "Analyze Computer Now".
Click "OK" for the error log file path. Now, when you go into the tabs inside SCA, you can see
check marks if your computer is set to the same thing,
X if they are different. An example of this is in the image above
where the Max password age on the computer is 30 days,
but in my database (AKA template), it's 29 (which is slightly more secure).
If you want to change the template, double click the row in the view, and change it.
Remember that this will change the database only, so to change the template, right click the "Security Configuration and Analysis", and click "Export Template".
Step Five: Apply the template - After analyzing the template, if it looks good, right click "Security Configuration and Analysis", and click "Configure Computer Now".
This will set the computer's settings to what you just reviewed as acceptable.