Configuring Windows Firewall with Advanced Security
Using netsh for configuring the firewall
The Windows XP
netsh firewall command is still present on Windows 7, but it is deprecated in favor of
netsh advfirewall and may go away in a future release. Rules written with
netsh firewall still work with Windows 7, but old check conditions which rely on
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ need to be modified.
For documentation on the Vista / Server 2008 / 7 firewall, see KB947709 for an overview with examples (including explaination of how to accomplish the tasks described in the Configuring Windows XP firewall article) or the Microsoft TechNet article Netsh Commands for Windows Firewall with Advanced Security for details. You can also run
netsh advfirewall /? for help.
Note that there are differences between the Vista / 2008 firewall and the 7 / 2008R2 firewall. The above TechNet article contains details.
These settings are persistent, so it's possible to use execute="once"; however, it may (depending on your purposes) be a good idea to add check conditions so that settings can be restored if someone or something changes them.
Rules can be bundled together and activated or deactivated as a group. The Windows Firewall with Advanced Security control panel is the easiest way to find out what rules and groups are pre-defined.
The Windows 7 / Server 2008 R2 firewall supports domain, public and private profiles, asome or all of which can be active at a time. If you want to alter a particular profile instead of altering all current profiles, it should be specified on the command line.
The following profiles can be specified when writing and modifying rules:
allprofilesaffects all profiles
currentprofileaffects the currently-active profile (on Vista and 2008) or all currently-active profiles (on 7 and 2008 R2)
The following require additional research:
- How to write check conditions? Rules appear in
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules, but it is not clear how stable names and content are across systems. An external script might be useful, or it might be advisable to always set rules if it's desired that differences from the desired profile be detected and corrected.
- How to select the active profile(s)?
The following package should enable all the individual rules in the "Remote Desktop" group for the domain profile. (Due to operational constraints, it is presently untested - use at your own risk.)
<package id="fw-rdp-domain-on" name="Enable RDP rule group, domain profile" revision="1" reboot="false" execute="once"> <install cmd='netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=Yes' /> <remove cmd='netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=No' /> </package>