← All talks

Zero Trust, Before The Cloud: What Windows Firewall Got Right Years Ago - Ben Lintern

BSides Lancashire 202611:387 viewsPublished 2026-07Watch on YouTube ↗
Speakers
Tags
About this talk
Windows Defender Firewall has quietly supported zero trust networking principles for two decades. This talk walks through its identity-aware rules, application-scoped connections, and IPsec-backed authentication, showing how Active Directory shops can enforce least-privilege network access without cloud ZTNA licensing. It also covers the gaps: no cloud identity support, no real-time risk signals, and sparse documentation.
Show transcript [en]

Uh yeah, zero trust before the cloud. What Windows firewall got right years ago. That's what I was waiting for. Uh so yeah, quick introduction. Who am I? So I'm a security engineer at a company in the fin in the payroll/ umbrella sector called Payream. Uh I'm passionate about quite a few different things in security, but yeah, security, infrastructure, networking, and cloud. and it is my second bsides talk. So what is zero trust networking? So start off with what is zero trust? Uh it's a concept in security uh where uh you we follow the rule of don't never trust always verify and then in the context of networking it is just because you're within the network

perimeter like on the company network you know you shouldn't be trusted to connect to whatever you want. uh and it's verifying that the user and the device should be should uh have authorization to connect to the resource. Uh zero trust networking follows lease privilege. uh factoring in identity and context, it's typically more secure than a traditional flat network where as an example uh you know instead of one flat uh like local area network you've got uh VLANs for different re uh different resources uh and also zero trust network access uh relates to zero trust networking but slightly different as uh with zero trust network access. It is typically application level access as opposed to network access. So if you have ZTNA, you

you a you authenticate to it and you have access as opposed to a more traditional solution where you connect to your VPN and then you've got access to the resources. So modern implementations of zerorust networking uh a typical like a basic overview your organization users are created in the platform you register your devices you install your tunneling software so as an example cloudflare uh you know you'd install cloud flared or the w client uh and then you'd create your network policies so yeah the example that I give below is like you'd create a rule for your finance department to be able to access your internal payroll system and yeah you'd go there but what I am uh exploring today is uh

how Windows Defender Firewall has actually had zero trust networking built into it uh and it's had these capabilities for about 20 years I think since server 2003 uh and how and where these features can be useful today so uh yeah what is Windows Defender a firewall with advanced security. Uh it's a built-in firewall software. Uh it's included with within the Windows operating system and it is used to control connections that are connections that are allowed inbound and outbound from a device. And I've gave a I gave an example there of what a rule might look like. So this is allowing HTTP inbound. Then you you know you give it a name. You define the ports. uh you define the

scope which is like what the uh like what subnets you want to be able to reach. Uh but it has a lot more functionality than that. First of all, it does have identity aware uh features. So uh as you can see the as I hope you can see the allow the connection if it is secure uh means that connections can only be accepted if they are authenticated and integrity protected. Um what that and you can go even further. So not just requiring connections to be authenticated and tied to an identity but also you can restrict what connections are allowed based on users and computers. So going back to like the finance team example, you can

see I've got a security group for my finance team or department and I've got a similar group but for their workstations and laptops and only connections that match this criteria will be allowed and then yeah this is backed by connection security rules. So uh you define you create a not a file rule but yeah connection security rule where you can request authentication uh to go like with the connections and yeah how I found it worked best was define defining any subnet that you might expect authentication from and setting computer and user so you so it can support the uh yeah users and computers being associated with the connections. And there's a test there. So I created

like a John Smith user. Uh and you can see that connection's allowed and that connect that connection is associated to John Smith's user account where I tried it with my admin account which wasn't part of that group. The connection fails and that was what SG Finance uh had in it. Uh yeah, next application aware. So, Windows Defender Firewall, yeah, also has application aware functionality. Uh, this is a more known feature than the last one. Uh, so in this, yeah, you can define only like specific applications that are allowed to make inbound or outbound connections. So, I've just called I just called what that uh program program.exe. But where this can be a lot more useful. So if you

add SQL servers for example and you want to and you've got multiple SQL servers that do replication between them as opposed to allowing uh the MSSQL traffic between SQL servers uh you can restrict that to just the SQL server.exe exe and then in if an attacker was uh you know compromised your SQL server you're adding another step making it harder to laterally move as they'd have to the connectivity would only be permitted for SQL server.exe. Uh another feature that I discovered during the research was health checks. So uh under the isolation tab when you're creating a a connection security rule it mentions health status and then when you're setting up authentication uh it mentions a health certificate uh

computer health certificates. So I was thinking you know you can also implement health checks. That is not the case anymore. Microsoft removed that feature from Windows 10 but it was a feature in the past. Uh yeah, fi finally auditability. So one of the reasons why I think a lot of organizations don't use this feature uh or haven't used this feature in the past as well is that it can add complexity to like your networking. But there are actually a lot of event logs and uh event ids for uh various uh well for like your IP sex sessions for stuff not for connections failing for authentication and negotiation failing. But you also have logs of user accounts and computers

making uh connections to like your devices, your servers where just using standard like firewall login you don't have that visibility. So what are the advantages of Windows firewall in the context of zero trust networking? Uh you've got that it it's onrem only and so it doesn't require any internet connectivity, doesn't require uh access to any like clouds. If you're in an air gap network, you know this this will work. Uh it's included with Windows licensing. So there's no additional cost. uh where whereas like modern zero trust networking solutions you're paying like a per user license it can get expensive pretty quickly and also uh where you do have a if you already have a mature domain environment

like most people who are running active directory uh you've already got all your identities you've already got your security groups so you can you've already got all of that configuration but it is not perfect uh and it does fall short in a few in a few ways is today. Uh one of which is it doesn't support like cloud identities. So I've said entra but if you're syncing between enter and ad then that's not what I mean but more if like resources have identities or or octa or any other uh like identity provider. uh there's no real-time user risk evaluation like what you have where for example some modern solutions might look at if you've got

disc encryption if you've got the latest antivirus uh signatures if your iOS is perhaps not no no health checks either uh anymore it's not designed for latency sensitive workloads so it probably won't be a good fit in operational technology and could lead to disasters but I think the main reason why it why this hasn't really been picked up by organizations uh is due to the documentation there isn't much I had to figure out a lot of this uh by or yeah by myself and as an organization you probably don't want to be using a feature that uh well didn't have that much documentation but it can still be useful today in Windows heavy environments uh

as well yeah like heavy active directory environments uh you know like I've said you've already got the licensing uh you've got the identities it is also a budget friendly zerorust networking solution uh but another use case that I didn't add was that with legacy applications where maybe they're not encrypting traffic in transit or don't uh or do authentication or don't do authentication well uh you can use features here to add on to uh these applications to well yeah meet that criteria. Uh and ultimately you can use some of the features I've discussed today to improve your network security using zero trust principles and enhance your security posture. But yeah uh cheers.

Any questions?

>> Great one. Can we still control Windows firewall through? >> Yeah, you can. Yeah. And you can also disable rule merger. So you can disable any rules that are created like by by someone on the OS or like when applications recreate create rules as well. So you can disable them. uh how do services uh or how are executables like identified like if it gets replaced how how are they >> there's there's no digital signature or hash ver verification so you are simply relying on it being in the right path uh I I don't know if you can use wild cards but

>> If you got any other questions, feel free to grab Ben. He'll be around. Just do one more round of applause.

[ feedback ]