Saturday, July 6, 2013

Manage the Windows Firewall with Powershell

With the release of Windows Server 2012 and Windows 8, Microsoft has begun issuing the following warning when using NETSH to manage the firewall:


In future versions of Windows, Microsoft might remove the Netsh functionality
for Windows Firewall with Advanced Security.

    
Sounds like a good enough reason to learn how to manage the firewall with Powershell to me. Fortunately Microsoft has made welcome improvements to firewall management in Powershell for version 3. Let's do it.


Assumptions


  • Windows 2012 or Windows 8
  • Administrator access to the machine in question
  • Powershell ran as administrator on the machine in question

CMDLets Involved


Powershell provides the following commands for firewall management:

Get-Command -Noun "*Firewall*"


Copy-NetFirewallRule
Disable-NetFirewallRule
Enable-NetFirewallRule
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
New-NetFirewallRule
Remove-NetFirewallRule
Rename-NetFirewallRule
Set-NetFirewallAddressFilter
Set-NetFirewallApplicationFilter
Set-NetFirewallInterfaceFilter
Set-NetFirewallInterfaceTypeFilter
Set-NetFirewallPortFilter
Set-NetFirewallProfile
Set-NetFirewallRule
Set-NetFirewallSecurityFilter
Set-NetFirewallServiceFilter
Set-NetFirewallSetting
Show-NetFirewallRule
As per normal, type get-help followed by the CMDLet name in question to get more information.

Common Examples


Below are some examples of common tasks you may wish to perform with Powershell:

Enable or Disable the Firewall


Disable the firewall on the DOMAIN profile:

Set-NetFirewallProfile -Profile Domain -Enabled True

Note the -Enabled parameter does not accept typical $True but rather True. Obviously False is an option and the other valid profiles are "Public" and "Private".


Enable a Group of Pre-Made Rules


Groups are sets of rules for a specific purpose. Windows ships with several; are a few you may find useful:

Set-NetFirewallRule -DisplayGroup "Remote Event Log Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Management Instrumentation(WMI)" -Enabled True
Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Remote Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Remote Administration" -Enabled True

To list all groups, see the item below.

List all current Rule Groups


$rules=Get-NetFirewallRule
$DisplayGroups=foreach ($rule in $rules){$rule.displaygroup}
$DisplayGroups|Select-Object -Unique


Make a New Rule


New-NetFirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Direction Inbound -LocalPort 1194 -Protocol UDP -Action Allow
New-NetFirewallRule -DisplayName "Block Outbound itunes.exe" -Direction Outbound -Program "C:\Program Files\apple\itunes\itunes.exe" -Action Block

Enable or Disable an Existing Rule


Set-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Enabled True
Set-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Enabled False

Delete a Rule

This will permanently delete a rule. To disable use the set-netfirewallrule command from the previous section.

Remove-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests"

Get Firewall Profile Information


Get-NetFirewallProfile -name Domain


Manage Rules Remotely


Any of the commands can be used remotely by using the New-CimSession cmdlet. This also assumes you have already enabled the firewall rule group "Windows Firewall Remote Management" as listed above.

$TargetComputer=New-CIMSession -Computername MYCOMPUTER
Set-NetFirewallRule -DisplayGroup "Remote Event Log Management" -Enabled True -CimSession $TargetComputer


What About Windows Server 2008/7?


Unfortunately, this will only work in 2012, 8, or newer even if you install Powershell 3.0 on  previous versions. The NetSecurity module was newly introduced in 2012/8. If you want to manage the FW on older versions you'll need to use NETSH.

Tip 'o The Iceberg!


So that's just a start to all the things we can do with powershell to manage the firewall. This article focuses on controlling one machine at a time so you'll most likely want to investigate controlling rules via group policy. Server 2012 introduces some very interesting tools for that as well. (Open-NetGPO!) For more information, see the links below and as always feel free to interact using the comments!

Further Reading


Technet: Windows Firewall with Advanced Security Administration with Windows Powershell
Let IT Know Blog: Manage Windows Firewall With Powershell 3
Microsoft Networking Blog: Deployment: Windows Firewall and Group Policy

2 comments:

Thomas Lee said...

These cmdlets are only available for Server 2012/Windows 8 or higher as they are bound to the OS, not just to Win 7. With Windows 7, even with PowerShell v4, you do not have these cmdlets.

Spamhater007 said...

Ignore Thomas Lee, as apparently he cannot read. In this article; The first paragraph states 2012/Win8. The end of article states 2008/7 not supported .