Refactor dynamic keyword management in Windows Firewall

2025-05-12 13:27:23 +00:00 · 2024-01-12 15:29:58 -05:00 · 2024-01-12 15:29:58 -05:00 · 91598bce9d
commit 91598bce9d
parent 3c5c2c2296
1 changed files with 8 additions and 29 deletions
--- a/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md
@ -98,9 +98,7 @@ In high security environments, an inventory of all enterprise-spanning apps must
 ## Manage dynamic keywords with Windows PowerShell
-The following hydration scripts read the current Firewall configuration, extract FQDN based rules and perform DNS resolution on each domain, so that IP addresses for those rules get populated.
+The following sample scripts read the current Windows Firewall configuration, extract FQDN-based rules, and perform DNS resolution on each domain. The result is that the IP addresses for those rules get populated.
 ### Hydrate FQDN rule IPs using Resolve-DNSName
 ```PowerShell
 Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
@ -112,18 +110,7 @@ ForEach-Object {
 }
 ```
-Silent:
+A similar script can be used to perform DNS resolution using `nslookup.exe`:
 ```PowerShell
 Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
 ForEach-Object {
  if(!$_.Keyword.Contains("*")) {
    resolve-dnsname -Name $_.Keyword -DNSOnly | out-null
  }
 }
 ```
 Hydrate FQDN rule IPs using NSLookup
 ```PowerShell
 Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
@ -143,9 +130,7 @@ $appPath = 'C:\Windows\System32\nslookup.exe'
 New-NetFirewallRule -DisplayName "allow $appName" -Program $appPath -Action Allow -Direction Outbound -Protocol UDP -RemotePort 53
 ```
-### Additional PowerShell and Firewall Commands
+### Enable Network Protection
 #### Enable Network Protection
 Block Mode:
@ -155,7 +140,7 @@ Audit Mode:
 `Set-MpPreference -EnableNetworkProtection AuditMode`
-#### Display Auto resolve rules and associated resolved IP addresses
+### Display Auto resolve rules and associated resolved IP addresses
 > [!NOTE]
 > IP addresses will not populate until DNS query is observed.
@ -184,19 +169,13 @@ New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true
 New-NetFirewallRule -DisplayName "allow $fqdn" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
 ```
-## Example rules for block all outbound and allow some FQDNs
+### Block all outbound and allow some FQDNs
 This is a sample list of application FQDN evaluation. These were observed when inspecting traffic on the first launch of Microsoft Edge.
 > [!IMPORTANT]
 > This is not a complete list nor a recommendation. It's an example of how an application should be evaluated to ensure proper connectivity and function.
 ```PowerShell
 ```
 To learn more about Microsoft Edge requirements for Internet connectivity, see [Allow list for Microsoft Edge endpoints](/deployedge/microsoft-edge-security-endpoints).
 ```PowerShell
@ -212,9 +191,9 @@ $domains = @(
    'ntp.msn.com'
 )
-foreach ($fqdn in $domains) {
+foreach ($domain in $domains) {
    $id = '{' + (New-Guid).ToString() + '}'
-    New-NetFirewallDynamicKeywordAddress -Id $id -Keyword $fqdn -AutoResolve $true
+    New-NetFirewallDynamicKeywordAddress -Id $id -Keyword $domain -AutoResolve $true
-    New-NetFirewallRule -DisplayName "allow $fqdn" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
+    New-NetFirewallRule -DisplayName "allow $domain" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
 }
 ```