I have a general question about firewall rule management and would like to know the experience of others who have been managing their SEP workstation firewalls from the perspective of least priviledge.
I notice when tying a rule down to a particular .EXE file, there is an option for specifying the file fingerprint. Where do I find the file fingerprint of a particular .EXE file, or is it just the SHA1 hash of that file?
I would like to tie each rule down to allowing specific .EXE files instead of just "any" to the ports and remote IP's in question. I see things like ntoskrnl.exe, CcmExec.exe, lsass.exe, etc as common files requesting packets. I figure even with using file fingerprint I would only have 3 versions of each to manage, one for XP, Vista, and Win7. Is this a reasonable approach to locking it down and maintaining the concept of least privilege or is this approach too much management overhead to be effective? If too much, how do you recommend locking it down while keeping the rest of the machines protected from things like malware sending traffic to the domain controllers out commonly known open ports.
Thanks.