Thursday, May 30, 2013

Scripting: Administering the Windows Firewall with Batch

We needed a way to configure the Windows Firewall during a series of OS Deployments. After doing a bit of research I diced that a batch script using the NETSH command was probably the easiest solution. Here's the scripts I came up with (comment/uncomment desired settings:

Windows 7-2008 or later:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Set Windows Firewall Features for Windows 7-2008 or later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Auto-set Windows Firewall Features for Windows 7-2008 or later. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Display a message to the user: ECHO Setting Windows Firewall Features for Windows 7-2008 or later... ECHO. :: Run NETSH commands to disable/enable (off/on) individual firewall profiles: netsh advfirewall set domainprofile state off :: netsh advfirewall set privateprofile state off :: netsh advfirewall set publicprofile state off :: Run NETSH commands to disable/enable (off/on) all firewall profiles: :: netsh advfirewall set allprofiles state off :: Run NETSH command to enable Remote Desktop exception: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes :: Display completion notice: ECHO Done! :: Uncomment to view script results: :: ECHO. :: PAUSE EXIT
Windows XP-2003:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Set Windows Firewall Features for Windows XP-2003 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Auto-set Windows Firewall Features for Windows XP-2003. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Display a message to the user: ECHO Setting Windows Firewall Features for Windows XP-2003... ECHO. :: Run NETSH commands to disable/enable firewall: netsh firewall set opmode disable :: Run NETSH command to enable Remote Desktop exception: netsh firewall set service remotedesktop enable :: Display completion notice: ECHO Done! :: Uncomment to view script results: :: ECHO. :: PAUSE EXIT
BONUS - This script will reset the firewall if you make a mistake with your desired settings:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Reset Windows Firewall Features for Windows 7-2008 or later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Auto-reset Windows Firewall Features for Windows 7-2008 or later. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Display a message to the user: ECHO Resetting Windows Firewall for Windows 7-2008 or later... ECHO. :: Run NETSH commands to reset firewall (restores default settings): netsh advfirewall reset :: Display completion notice: ECHO Done! :: Uncomment to view script results: :: ECHO. PAUSE EXIT

3 comments:

  1. This is great. Worked right out of the box (not easy to find on that does). Do you have or know of a script to push this out to Win7 PC's in a list? I had one for XP but lost it. Can't find source.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hey Me Z,

    So (basically) you are asking me if I have a method to run this script on a bunch of Windows 7 PCs on a list? I'm assuming you don't have SCCM in your environment or you could just create a collection and push the script as a package. In the days before SCCM I'd use a remote execution tool like PSEXEC and just write another script for something like this. Haven't had to do that in years (lol) but if I did I'd probably do it similar to this:

    http://delphintipz.blogspot.com/2011/10/run-psexecexe-for-list-of-computers.html

    Hope that helps!

    ReplyDelete