Wednesday, July 31, 2013

Windows 8.1: Changes Illustrate Attention to Detail

After spending a bit of time with the Windows 8.1 preview, I've been impressed by some of the "little things". While there are large overhauls to address community feedback, this was expected; what I didn't expect is a series of minor tweaks and fixes to make the OS more user friendly for everyone from the entry level user to the longtime power user.

Modern UI with a wallpaper background, substantially more straightforward PC settings, and Windows Update improvements are all very welcome, but my favorite is demonstrated in this screenshot easy to interpret comparison:

Ctrl + X menu comparison; 8.0 on left, 8.1 on right

This means someone in the Win 8.1 dev team is evaluating power user tools for improvement as well, and I'm very happy to see this sort of improvement. I was initially skeptical, but after seeing these sorts of enhancements I'm definitely looking forward to the final release.

This month has been a bit slow because I'm working on a couple large articles. Stay tuned for some Hadoop and DirectAccess!

Update 10/11/2013: Microsoft removed this from RTM, so.... yeah.

Saturday, July 6, 2013

Manage the Windows Firewall with Powershell

With the release of Windows Server 2012 and Windows 8, Microsoft has begun issuing the following warning when using NETSH to manage the firewall:


In future versions of Windows, Microsoft might remove the Netsh functionality
for Windows Firewall with Advanced Security.

    
Sounds like a good enough reason to learn how to manage the firewall with Powershell to me. Fortunately Microsoft has made welcome improvements to firewall management in Powershell for version 3. Let's do it.


Assumptions


  • Windows 2012 or Windows 8
  • Administrator access to the machine in question
  • Powershell ran as administrator on the machine in question

CMDLets Involved


Powershell provides the following commands for firewall management:

Get-Command -Noun "*Firewall*"


Copy-NetFirewallRule
Disable-NetFirewallRule
Enable-NetFirewallRule
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
New-NetFirewallRule
Remove-NetFirewallRule
Rename-NetFirewallRule
Set-NetFirewallAddressFilter
Set-NetFirewallApplicationFilter
Set-NetFirewallInterfaceFilter
Set-NetFirewallInterfaceTypeFilter
Set-NetFirewallPortFilter
Set-NetFirewallProfile
Set-NetFirewallRule
Set-NetFirewallSecurityFilter
Set-NetFirewallServiceFilter
Set-NetFirewallSetting
Show-NetFirewallRule
As per normal, type get-help followed by the CMDLet name in question to get more information.

Common Examples


Below are some examples of common tasks you may wish to perform with Powershell:

Enable or Disable the Firewall


Disable the firewall on the DOMAIN profile:

Set-NetFirewallProfile -Profile Domain -Enabled True

Note the -Enabled parameter does not accept typical $True but rather True. Obviously False is an option and the other valid profiles are "Public" and "Private".


Enable a Group of Pre-Made Rules


Groups are sets of rules for a specific purpose. Windows ships with several; are a few you may find useful:

Set-NetFirewallRule -DisplayGroup "Remote Event Log Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Management Instrumentation(WMI)" -Enabled True
Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Remote Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Remote Administration" -Enabled True

To list all groups, see the item below.

List all current Rule Groups


$rules=Get-NetFirewallRule
$DisplayGroups=foreach ($rule in $rules){$rule.displaygroup}
$DisplayGroups|Select-Object -Unique


Make a New Rule


New-NetFirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Direction Inbound -LocalPort 1194 -Protocol UDP -Action Allow
New-NetFirewallRule -DisplayName "Block Outbound itunes.exe" -Direction Outbound -Program "C:\Program Files\apple\itunes\itunes.exe" -Action Block

Enable or Disable an Existing Rule


Set-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Enabled True
Set-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Enabled False

Delete a Rule

This will permanently delete a rule. To disable use the set-netfirewallrule command from the previous section.

Remove-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests"

Get Firewall Profile Information


Get-NetFirewallProfile -name Domain


Manage Rules Remotely


Any of the commands can be used remotely by using the New-CimSession cmdlet. This also assumes you have already enabled the firewall rule group "Windows Firewall Remote Management" as listed above.

$TargetComputer=New-CIMSession -Computername MYCOMPUTER
Set-NetFirewallRule -DisplayGroup "Remote Event Log Management" -Enabled True -CimSession $TargetComputer


What About Windows Server 2008/7?


Unfortunately, this will only work in 2012, 8, or newer even if you install Powershell 3.0 on  previous versions. The NetSecurity module was newly introduced in 2012/8. If you want to manage the FW on older versions you'll need to use NETSH.

Tip 'o The Iceberg!


So that's just a start to all the things we can do with powershell to manage the firewall. This article focuses on controlling one machine at a time so you'll most likely want to investigate controlling rules via group policy. Server 2012 introduces some very interesting tools for that as well. (Open-NetGPO!) For more information, see the links below and as always feel free to interact using the comments!

Further Reading


Technet: Windows Firewall with Advanced Security Administration with Windows Powershell
Let IT Know Blog: Manage Windows Firewall With Powershell 3
Microsoft Networking Blog: Deployment: Windows Firewall and Group Policy