Use Windows Command Line Tools and PowerShell Cmdlets to Manage Security in Windows Server 2012 (Part 2)

by [Published on 6 Nov. 2013 / Last Updated on 20 Nov. 2013]

In this article we'll take a look at how to configure and manage the Windows Firewall with Advanced Security via Netsh and Powershell cmdlets

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series on how to use the Windows command line tools and PowerShell to speed up management of basic security-related tasks in Windows Server 2012 instead of clicking through the graphical interface, we took a detailed look at non-graphical methods for configuring and managing Windows Certification Authorities (CAs), including Certutil and AD CS PowerShell cmdlets.

In Part 2, we’ll move on to how to configure and manage the Windows Firewall with Advanced Security via Netsh and Powershell cmdlets. Currently, those who want a text-based interface for managing WFAS have both options, but it’s important to note that some Microsoft documentation has indicated that there is a possibility that Microsoft may remove the Netsh functionality. We know that the direction Microsoft has been taking with Windows Server points toward PowerShell as the primary interface, so it makes sense to expect that alternatives will eventually be deprecated and disappear. If you’re more comfortable with Netsh, go ahead and use it for now, but I’d highly recommend that you learn to use PowerShell for this task as well. It’s much easier to let go of the old ways gradually rather than being abruptly required to get up to speed on a new way of doing things when you have no other choice.

An even better reason to transition to PowerShell is that, as its name implies, it puts more power and control into your hands than the old-school command line tools do. Microsoft has made some improvements to the firewall management functionality in the latest version of Windows PowerShell, so that once you get used to “speaking the PowerShell language,” you won’t want to go back to doing it the old-fashioned way.

Managing the WFAS with Netsh

PowerShell may be the future, but first let’s take a look at the Windows Firewall with Advanced Security tasks you can do with Netsh. We’ll be using the netsh advfirewall tool, which is part of Netsh on computers running Windows Vista or subsequent operating systems. To use it, you’ll need to run it from an elevated command prompt (In Server 2012, click Start, right-click the command prompt icon and select Run as administrator). Note that you need to be a member of the Administrators group to do this. Members of the Network Operators group can also run netsh advfirewall (without elevating the command prompt).

Here are some of the more useful commands available with netsh advfirewall:

  • Export and Import: With these commands, you can export the current WFAS configuration to a file. Default file extension is .wfw. Then you can import the configuration from a file to the local service, overwriting the current contents of the store (Big caveat: the Import command doesn’t ask for confirmation, so be sure you want to do this. To be safe, export the configuration in the current store to a different file before importing).
  • Reset: You can use this command to quickly and easily take WFAS back to the default settings and rules and wipe out any configuration changes that have been made. You can use the reset export command to back up your current settings to a file first, just in case you change your mind about wiping them all out.
  • Set: This command is used to configure profile type (domain, public or private network) settings, global settings or store settings.
  • Show: This command is used to display profile type, global and store settings but does not change them

The Set command is used for most of the configuration and management tasks related to WFAS. You can:

  • Enable or disable the WFAS for a specific profile type using the set <profiletype>state command.
  • Configure filtering for both inbound and outbound traffic using the set<profiletype>firewallpolicy command with InboundPolicy and OutboundPolicy parameters. Inbound policy can have one of four values: block, block always, allow, or not configured. Outbound policy can have one of three values: block, allow or not configured. (Default setting is to block inbound and allow outbound).
  • You can configure a number of profile-specific general settings for WFAS and IPsec using the Set<profiletype>settings command. Settings that can be configured include local firewall rules (enable, disable or not configured), local IPsec connection security rules and inbound user notification, as well as remote management and unicast response to multicast. You can also configure the firewall logging settings with Set<profiletype>logging.
  • With the set global command, you can configure such settings as the way WFAS handles stateful FTP (FTP traffic that initially connects to one port and requests data on a different port), global IPsec options (checking of certificates against a Certificate Revocation List), amount of time a security association can stay idle, protocols that will be exempt from IPsec requirements by default, and whether IPsec can configure a security association if one or more computers are behind a NAT device. This command is also used to control which computer accounts and groups are authorized to create tunnel connections to the local computer, and which user accounts and groups can do the same.
  • The set store command is used to determine the storage location for changes that are made by netsh advfirewall commands (default is the local policy store). You can configure a policy store on a remote computer by using the set machine command.

This is just a synopsis of the various tasks related to WFAS that you can accomplish with the netsh advfirewall command, and is not intended to be a “how to” for using those commands. For a more comprehensive description of the various commands, parameters and syntax for executing them, see the TechNet article titled Netsh Commands for Windows Firewall with Advanced Security. Although this article was written in regard to Windows 7 and Windows Server 2008/2008 R2, the Netsh commands in Windows Server 2012 are the same.

Managing the WFAS with Windows PowerShell

The more powerful and updated way to manage the Windows Firewall with Advanced Security from the command line is to utilize Windows PowerShell 3.0. This version of PowerShell is included in Windows Server 2012. You’ll also need to use the Windows NetSecurity Module for Windows PowerShell (which is also included in Windows Server 2012) and the Windows PowerShell ISE (which is an optional feature of Windows PowerShell 3.0 that you can install using Server Manager in Windows Server 2012).

PowerShell will allow you to do the same basic tasks that we just discussed in the section on using netsh advfirewall: set the global defaults for profile types, deploy basic firewall rules and IPsec rule settings, deploy secure firewall rules with IPsec and also manage WFAS remotely.

This article will assume that you’re familiar with the basics of using Windows PowerShell; if not, see the Windows PowerShell Getting Started Guide and the Windows PowerShell User Guide on the Microsoft TechNet web site.

The first step in configuring and managing Windows Firewall with Advanced Security via PowerShell is to enable WFAS. Here is the cmdlet for enabling WFAS on the different profile types:

Set-NetFirewallProfile –Profile Domain,Public,Private –Enabled True

As you probably already surmised if you’re familiar with PowerShell (or coding in general), to disable the WFAS, you would set the –Enabled parameter to “False.” You can, of course, enable or disable each of the three profile types separately. Thus if you wanted to turn WFAS off for the domain network, you would use the following cmdlet:

Set-NetFirewallProfile –name domain - Enabled False

This equates to turning the firewall state to “off” on the Domain Profile tab of the Windows Firewall with Advanced Security dialog box.

You can use the “all” switch in place of the name parameter if you want to enable or disable WFAS on all three of the profile types. Here’s the cmdlet for that:

Set-NetfirewallProfile –All –Enabled True

Now that we have the Windows Firewall with Advanced Security up and running, we can delve into all the cmdlets that we can use to manage it – but we’ve run out of room for this time so we’ll get into all that in Part 3 of this series.

Summary

In Part 1 of this series of articles on managing security in Windows Server 2012 using command line utilities and PowerShell, we provided an overview of how to use Certutil.exe and PowerShell cmdlets to install and manage the Certificate Services role. Here in Part 2, we took on the Windows Firewall with Advanced Security, and discussed how you can use the netsh advfirewall command to configure and manage it. We also began the discussion of how to use PowerShell cmdlets for configuring and managing WFAS, and next time we’ll go into a lot more detail about that. See you then! – Deb

If you would like to read the other parts in this article series please go to:

 

Advertisement

Featured Links