Intune – Block new Google TLD’s with Endpoint security

Google announced 8 new top-level domains for dads, grads and techies.
See the news article here https://blog.google/products/registry/8-new-top-level-domains-for-dads-grads-tech/

Although all domains can be potentially dangerous in this one the .zip caught the attention. 

If you check the further registered .zip domains It’s possible that these are going to be used for malicious purposes.  (microsoftdefender_zip, Microsoft-update_zip, Office365-update_zip, officeupdate_zip, microsoftoutlook_zip, ….) 

Google’s new .zip Top Level domain is already used in phishing attacks so I started to investigate how to easily block them at Modern Workplaces.

Additional to Google TLDs it is advisable to block some other TLDs that appear in the SPAMHaus Top 10. The Spamhaus Project – The Top 10 Most Abused TLDs (.rest, .wiki, .live, .xyz …)

The best way to block TLDs via Intune is to create a reusable setting and create a firewall rules policy.

Open http://intune.microsoft.com

Click Endpoint securityFirewall and choose Tab Reusable settings

The use of Reusable settings is very handy and can save you a lot of time because you can use these settings in other firewall policies and when there is a need to edit these settings this only needs to be done at one place.

Click Add

Enter a Name and Description

Add the domain *.zip, *.foo and *.Mov

Configure the Instances Auto Resolve : True and add the keyword.

After the instances are added and the settings are saved switch back to the Summary tab.

At Firewall Polcies > Create Policy

Select Platform Windows 10, Windows 11, Server for Platform

and

Profile Windows Defender Firewall Rules

click Create

Give Name and Description and Click Next

Under Reusable Groups Click Set reusable settings and choose Block Google TLDs

 Under Rule properties > Click Edit Rule,

change the options :

Enabled: Enabled
Name:  Block Google TLDs

Interface Types: All

Network Types: FW_PROFILE_TYPE_ALL : This value represents ….

Direction: The rule applies to Outbound traffic.

Action: Block

Don’t forget to switch the Action to Block

Click Save

Click Next > Next

Add assignments, add a test group of devices first.

Click Next followed by Create

The rule is created and ready for testing.

On a device where the rule is applied the domain www.url.zip will be blocked.

More information :

Announcing enhanced control for configuring Firewall rules with Windows Defender – Microsoft Community Hub

I already blocked several gTLDs  –
The Top 10 Most Abused TLDs’ https://www.spamhaus.org/statistics/tlds/

More information about TLds and gTLDs
https://www.iana.org/domains/root/db

The Dangers of Google’s .zip TLD. Can you quickly tell which of the URLs… | by Bobbyr | May, 2023 | Medium

Google’s .zip Top Level domain is already used in phishing attacks – gHacks Tech News

https://icannwiki.org/Google#New_gTLDs]

Updated 2024-02-22

The management console does not display all Firewall rules, some can be found under monitoring in the firewall mmc.


Windows uses several “stores” Local, Policies (GP)….. and Via PowerShell you can retrieve all Firewall rules:

Get-NetFirewallRule -PolicyStore ActiveStore

More info: Get-NetFirewallRule (NetSecurity) | Microsoft Docs

Registry
Also you may check the registry key to check if the rule is applied to the system, key can be found here:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\FirewallRules

Leave a Reply

Your email address will not be published. Required fields are marked *