none
Auditing Windows Firewall rules RRS feed

  • Question

  • Good afternoon,<o:p></o:p>

    I've been looking for a way to make auditing the Windows Firewall a little easier.  The main items I am concerned with are pulling the correct profile, correct state, and the remote addresses for a given rule.<o:p></o:p>

    I came across James ONeil's blog (http://blogs.technet.com/b/jamesone/archive/2009/02/18/how-to-manage-the-windows-firewall-settings-with-powershell.aspx) and have modified it to do 99% of what I want.<o:p></o:p>

    The problem I am now facing is this: Firewall rules are stored in two different places - for Firewall rules configured using GPO, rules are here: HKLM\Software\Policies\Microsoft\WindowsFirewall and local configured rules are stored here: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.  When using the script as I currently have it configured, only the locally configured Firewall rules are being returned.<o:p></o:p>

    So, the question I have is this: is there a way to use the HNetCfg.FwPolicy2 COM object to return the rules that are configured by GPO? Or am I just out of luck? My script is below...


    $FWprofileTypes= @{1GB=”All”;1=”Domain”; 2=”Private” ; 4=”Public”}
    $FwAction      =@{1=”Allow”; 0=”Block”}
    $FwProtocols   =@{1=”ICMPv4”;2=”IGMP”;6=”TCP”;17=”UDP”;41=”IPv6”;43=”IPv6Route”; 44=”IPv6Frag”;
                      47=”GRE”; 58=”ICMPv6”;59=”IPv6NoNxt”;60=”IPv6Opts”;112=”VRRP”; 113=”PGM”;115=”L2TP”;
                      ”ICMPv4”=1;”IGMP”=2;”TCP”=6;”UDP”=17;”IPv6”=41;”IPv6Route”=43;”IPv6Frag”=44;”GRE”=47;
                      ”ICMPv6”=48;”IPv6NoNxt”=59;”IPv6Opts”=60;”VRRP”=112; ”PGM”=113;”L2TP”=115}
    $FWDirection   =@{1=”Inbound”; 2=”outbound”; ”Inbound”=1;”outbound”=2} 
     

    Function Convert-FWProfileType
    {Param ($ProfileCode)
    $FWprofileTypes.keys | foreach –begin {[String[]]$descriptions= @()} `
                                    -process {if ($profileCode -bAND $_) {$descriptions += $FWProfileTypes[$_]} } `
                                    –end {$descriptions}
    }
     

    Function Get-FireWallRule
    {Param ($Name, $Direction, $Enabled, $Protocol, $profile, $action, $grouping, $Remote)
    $Rules=(New-object –comObject HNetCfg.FwPolicy2).rules
    If ($name)      {$rules= $rules | where-object {$_.name     –like $name}}
    If ($direction) {$rules= $rules | where-object {$_.direction  –eq $direction}}
    If ($Enabled)   {$rules= $rules | where-object {$_.Enabled    –eq $Enabled}}
    If ($protocol)  {$rules= $rules | where-object {$_.protocol  -eq $protocol}}
    If ($profile)   {$rules= $rules | where-object {$_.Profiles -bAND $profile}}
    If ($Action)    {$rules= $rules | where-object {$_.Action     -eq $Action}}
    If ($Grouping)  {$rules= $rules | where-object {$_.Grouping -Like $Grouping}}
    If ($Remote)    {$rules =$rules | where-object {$_.RemoteAddresses -bAND $Remote}}
    $rules}

    Get-firewallRule -enabled $true -Direction "1" | sort name | 
                format-table -wrap -autosize -property Name, 
                @{Label=”Action”; expression={$Fwaction[$_.action]}}, @{label="Direction";expression={ $fwdirection[$_.direction]}}, 
                @{Label=”Protocol”; expression={$FwProtocols[$_.protocol]}}, localPorts,applicationname, @{Label=”Remote Addresses”; expression={$FwRemotes[$_.Remote]}} #| Out-File -FilePath C:\temp\firewall.txt 


    Monday, January 7, 2013 6:13 PM

Answers

  • is there a way to use the HNetCfg.FwPolicy2 COM object to return the rules that are configured by GPO?

    Documentation reference: INetFwPolicy2 interface

    There is no mention of the Rules property allowing enumeration of GPO-defined rules, so my answer to your specific question would be "no."

    Bill

    Monday, January 7, 2013 6:42 PM
    Moderator

All replies

  • is there a way to use the HNetCfg.FwPolicy2 COM object to return the rules that are configured by GPO?

    Documentation reference: INetFwPolicy2 interface

    There is no mention of the Rules property allowing enumeration of GPO-defined rules, so my answer to your specific question would be "no."

    Bill

    Monday, January 7, 2013 6:42 PM
    Moderator
  • There is no mention of the Rules property allowing enumeration of GPO-defined rules, so my answer to your specific question would be "no."

    Bill

    Well, that would be ultimately disappointing - but not unsurprising - if it were true.

    Thanks for the ref to the INetFwPloicy2 interface - I'll start reading through that and see if there's anything I can dig out of it.

    Also, I guess I can just enumerate the proper registry keys using powershell, but in order to get any useful information (i.e. something human readable), there's going to need to be a lot of text transforms.

    Monday, January 7, 2013 7:23 PM
  • Alright, so now I'm trying a different route...  

    So far, I have tried using the netsh command and the HNetCfg.FwPolicy2 COM object, but they only return firewall rules configured using netsh, the firewall control panel, or a script (see more details here: http://technet.microsoft.com/en-us/library/cc755604(v=ws.10).aspx).

    So, with that in mind, I decided to retrieve the firewall rules directly from the registry - so far, I have the following:

    $gpoRules = @(Get-ItemProperty -Path Registry::HKLM\Software\Policies\Microsoft\WindowsFirewall\FirewallRules) 

    $localRules = @(Get-ItemProperty -Path Registry::HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules)

     

    Now, where I am encountering trouble is that using Get-ItemProperty will return the list of Property names with values as a string - not separate entries... So, now my questions are: is there a better cmdlet to use?  If not, how would I go about separating the string in to discreet elements (interestingly, if I do something like $gpoRules | Get-Member, the output is formatted in to a table of discreet elements, but if I do something like $gpoRules.count, I get a return of 1... meaning there's only one item in the array). 

    Tuesday, January 8, 2013 3:14 PM
  • Hi,

    If you can find documentation on how the firewall configuration rules are stored in the registry, then you should use that. I doubt there is such documentation, however, as they've provided programmatic interfaces to interact withe the firewall rules (such as the aforementioned INetFwPolicy2 COM interface). Thus the registry settings are an implementation detail and are subject to change.

    You may be able to experiment with changing the firewall configuration values and then observing the effects on the registry, but again, this is an implementation detail (and without official documentation, subject to change at any time for any reason).

    It seems to me that your approach is impractical. Here are two alternative possibilities: 1) configure everything via GPO (recommended), as then you don't need to run any scripts and just get the settings from the GPO; or 2) don't use any firewall configuration in a GPO and run a script that uses the INetFwPolicy2 interface to report on the rules.

    Bill

    Tuesday, January 8, 2013 3:24 PM
    Moderator
  • Bill,

    I appreciate your help so far, but I think you're missing the point of why I'm going this route - the firewall rules set by local or domain GPO aren't exposed to INetFwPolicy2 COM object, HNetCfg.FwPolicy2 COM object, or netsh.  Thus, the only option I have left is to pull the rules that are stored in the registry - and the most efficient way to do that (as far as I can tell) is to write a powershell script.

    Additionally, I do understand that approach to defining firewall rules is impractical... controlling all firewall rules from the domain level would be optimal... but I don't get to make those decisions.  So, the environment exists as it does, and it's not going to change any time soon.

    Tuesday, January 8, 2013 7:14 PM
  • Bill,

    I appreciate your help so far, but I think you're missing the point of why I'm going this route - the firewall rules set by local or domain GPO aren't exposed to INetFwPolicy2 COM object, HNetCfg.FwPolicy2 COM object, or netsh.  Thus, the only option I have left is to pull the rules that are stored in the registry - and the most efficient way to do that (as far as I can tell) is to write a powershell script.

    Additionally, I do understand that approach to defining firewall rules is impractical... controlling all firewall rules from the domain level would be optimal... but I don't get to make those decisions.  So, the environment exists as it does, and it's not going to change any time soon.

    What makes you think the firewall rules are stored in the registry?

    Use RSOP to validate a policy and its application.  RSOP is the auditing tool for Group Policy.


    Happy New Year ¯\_(ツ)_/¯

    Tuesday, January 8, 2013 7:26 PM
  • Hi,

    I understand what you're saying. What I'm saying is that you can try to parse that data out of the registry - more power to you - but there is no guarantee of uniformity of that data between Windows versions (or even security patches). So your carefully written script may break unexpectedly because the registry storage the firewall components use is not documented.

    As far as writing your own auditing script, you're on your own on that one, since you're not using the standard documented interface.

    Bill

    Tuesday, January 8, 2013 7:29 PM
    Moderator
  • What makes you think the firewall rules are stored in the registry?

    Use RSOP to validate a policy and its application.  RSOP is the auditing tool for Group Policy.


    Happy New Year ¯\_(ツ)_/¯

    This article says so: http://technet.microsoft.com/en-us/library/cc755604(v=ws.10).aspx

    And I had not thought about using RSOP (should have since I query it for many other items that aren't found in the registry.) - thanks for the suggestion!

    Tuesday, January 8, 2013 8:34 PM
  • Yes but read this very carefully:

    In most cases, the rules used by Windows Firewall to filter unsolicited incoming traffic are a union of the Windows Firewall settings you configure using Windows Firewall in Control Panel, the netsh firewall command, local Group Policy settings, and domain-based Group Policy settings. You cannot configure ordered rules or rules that specify a precedence for specific protocols, ports, programs, or IP addresses. The only time the resultant rules are not determined by a union of all settings is when Group Policy settings conflict with settings that you configured locally through Windows Firewall in Control Panel or the netsh firewall command. In this case, the resultant rules are still determined by a union, but the domain-based Group Policy settings take precedence over any locally-configured settings (including local Group Policy settings) and the local Group Policy settings take precedence over settings configured through Windows Firewall in Control Panel and the netsh firewall command

    RSOP is the only way to resolve the currently active rules.


    Happy New Year ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, January 8, 2013 8:40 PM
    Tuesday, January 8, 2013 8:40 PM
  • Here is what NETSH says when in a domain with GPO

    PS C:\Windows\system32> netsh advfirewall show domainprofile
    
    Domain Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    
    Ok.

    Note that it gets set to GPO store only.

    YOu can use NETSH to export the rules to a file.


    Happy New Year ¯\_(ツ)_/¯

    Tuesday, January 8, 2013 8:46 PM
  • Here is what a rule lloks like in the store:

    v2.20|
    Action=Allow|
    Active=TRUE|
    Dir=In|
    Protocol=17|
    Profile=Public|
    App=C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe|
    Name=McAfee Shared Service Host|

    This is undocumented as Bill has said so you are on your own as far as how to use it.

    Use RSOP.  That is what it is there for.


    Happy New Year ¯\_(ツ)_/¯

    Tuesday, January 8, 2013 8:58 PM
  • Hi All

    Can someone please confirm if on Windows 10 it is correct for the Firewall rules to show under "Extra Registry Settings" in RSOP?

    If anyone has a link where this is documented that would be great too.

    Many Thanks



    Thursday, May 21, 2020 2:45 PM