OIT Public Knowledge - Host-based Firewall Policy for the OIT Managed Desktop Service

This document is intended to outline the OIT Managed Desktop supported device compliance with the Host-based Firewall control within the Endpoint Protection Standard.

Information
- Windows
- MacOS
Escalation
Related Documentation

Information

The OIT Managed Desktop Service meets compliance with the Host-based Firewall control of the Endpoint Protection Standard on all endpoints in our environment. We accomplish this by joining the endpoint to the appropriate Configuration Management System (CMS) where the firewall settings are applied through the CMS.

For Windows machines, Firewall policies are automatically configured on Windows PCs joined to the wolftech.ad.ncsu.edu domain. In order to maintain compliance, local admins cannot deactivate or remove any group policy enforcing it.

For macOS machines, there is an a custom Apple Configuration Profile deployed through JAMF, that enables the Firewall and Stealth Mode.

Windows

OIT’s Managed Desktop environment uses the campus Host-Based firewall configuration. Windows systems that are joined to the WolfTech AD domain are, by default, subject to the domain level security baseline group policies that exist for each version of Windows.

The security baseline “Domain Profile”:

Turns the Windows Firewall “On”,
Blocks all unsolicited inbound connections that do not match specific rules.
Allows outbound connections that do not match a rule.

an image of the windows server settings showing the specific settings that have been enabled for host-based firewall

MacOS

OIT’s Managed Desktop environment uses the best practice recommended by MacTech. The custom Apple Configuration Profile is loaded into Jamf and scoped for all machines in our site.

The security baseline “Configuration Profile”:

Turns the macOS Firewall “On”.
- Automatically allows built-in software to receive incoming connections
- Automatically allows downloaded signed software to receive incoming connections
- Enables stealth mode
Only the Firewall setting of the Security and Privacy Preference pane is locked, allowing other preferences to still be managed by Jamf Pro.

image of the dialog window on a Mac confirming that host-based firewall is enabled.

Escalation

Any questions on process or content contained in this document should be escalated through the NCSU Help desk and a have an incident assigned to the OIT_DESKTOP_SUPPORT team.

Host-based Firewall Policy for the OIT Managed Desktop Service

Table of Contents

Information

Windows

MacOS

Escalation

Related Documentation