Use Windows Command Line Tools and PowerShell Cmdlets to Manage Security in Windows Server 2012 (Part 3)

by [Published on 20 Nov. 2013 / Last Updated on 20 Nov. 2013]

In this article we continue with how to perform additional configuration and management tasks for WFAS with PowerShell.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series on how to use the Windows command line tools and PowerShell to speed up management of basic security-related tasks in Windows Server 2012 instead of clicking through the graphical interface, we took a detailed look at non-graphical methods for configuring and managing Windows Certification Authorities (CAs), including Certutil and AD CS PowerShell cmdlets.

In Part 2, we began our discussion on how to configure and manage the Windows Firewall with Advanced Security via Netsh and Powershell cmdlets, covering the netsh advfirewall command and how to enable or disable the WFAS with PowerShell. In this article, Part 3, we continue with how to perform additional configuration and management tasks for WFAS with PowerShell.

Create a firewall rule with PowerShell

Just as we did with Netsh, we can create firewall rules at the command line using PowerShell. We follow the same basic steps that we would follow in the New Inbound (or Outbound) Rule Wizard in the graphical interface (although in a different order): We give the rule a name, define the direction (Inbound or Outbound), specify the path to the program file, specify the remote address (IP address or local subnet location) and specify the action (allow or block). Below is an example of using PowerShell to allow inbound Telnet (listening) on the network:

New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow

You can also create a firewall rule to block or allow traffic to a specific Active Directory GPO by specifying the policy store using the set store parameter and specifying the GPO in the following format: gpo=<domain services name>\<GPO name>

Thus, the PowerShell cmdlet to block outbound Telnet to a GPO called Supernova in a subdomain called Andromeda in the Messier.com domain would be as follows:

New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore andromeda.messier.com\supernova 

Important note:
If the name of the GPO has spaces in it, you need to use quotation marks around it. In fact, this is true of other names, such as rule names or group names, as you may notice in the examples that are given throughout this article.

Change a firewall rule with PowerShell

If you want to use PowerShell to make changes to one of the firewall rules that is already configured in WFAS, you can modify various properties of the rule. You could do this with Netsh, too – but you had to know the name of the rule. If you didn’t, that was a problem.

A big advantage of using PowerShell for this is that if you don’t know the name of the rule, you can use properties of the rule that you do know in order to run a query and find out its name. You can use filter objects with the Get-NetFirewallRule cmdlet to query based on ports, addresses, security, interfaces or services. You can also use a wildcard character in the query (*).

To change a rule, you specify the new/changed information along with the rule name. For example, if you want to change the rule we created earlier to specify the remote IP address of the computer whose traffic is controlled by the rule, you would use the Set-NetFirewallRule cmdlet as shown in the following example:

Set-NetFirewallRule –DisplayName “Allow Inbound Telnet” -RemoteAddress 192.168.0.112

You can even make changes to more than one rule at the same time if they are part of a group. You just add the group name to the Set-NetFirewallRule command. In the example below, we’re changing the rule for all members of the group named “Telnet Group.”

New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Group” 

You can also enable rules by group (or by other rule properties), using the Enable-NetFirewallRule cmdlet.

Creating a secure firewall rule with PowerShell

You may want to configure a firewall rule so that it will allow connections if they are secured by IPsec. You can create a rule that requires authentication of the traffic, using an IPsec rule (which has to be separately configured). Here is an example of how to do that with a rule that will allow inbound Telnet traffic through the WFAS only if the traffic is authenticated:

New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow

The creation of that IPsec rule, in this case requiring computer authentication and attempting user authentication, is a little more complicated. Here is an example of that:

$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos
$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop
$ukerbauthprop = New-NetIPsecAuthProposal -User -Kerberos
$unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM
$anonyauthprop = New-NetIPsecAuthProposal -Anonymous
$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName “User Auth” -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name

Because of its flexibility, you can use PowerShell to more easily create complex IPsec policies. You can create IPsec rules, add custom authentication methods, specify IKEv2 transport rules, copy IPsec rules from one policy to another, and use IPsec to create a domain isolation policy.

For detailed instructions and examples of how to do these tasks (and more) with PowerShell, check out the TechNet article titled Windows Firewall with Advanced Security Administration with Windows PowerShell.

Using PowerShell for remote management of WFAS

WinRM (Windows Remote Management) was introduced as part of the Windows Hardware Management feature set in Windows Server 2003 R2. Version 2 of WinRM, which was included in Windows Server 2008 R2 and Windows 7, added a number of new features and functionalities, as detailed here.

Windows Server 2012 has remote management, using WinRM, enabled by default. PowerShell’s CimSession cmdlets use WinRM and support remote management. The CimSession parameter allows you to make changes in WFAS (such as changes to your firewall rules) via PowerShell on a remote computer.

This is especially useful when you have Windows Server 2012 installed in server core mode, which is the most secure and which is the method of installation that Microsoft recommends. Since there is no graphical interface, being able to remotely manage WFAS (and perform other administrative tasks) via PowerShell is essential.

Here’s how you use the CimSession parameter: Let’s say we have a computer named Alpha1 and we want to view the firewall rules that are configured on its WFAS. With PowerShell, it’s as simple as establishing a remote session using CimSession.

Let’s say you want to view all the firewall rules that are configured on a computer named Alpha1. Here’s how you’d do that with PowerShell:

Get-NetFirewallRule –CimSession Alpha1

Note that there are a few caveats to be aware of before you can remotely manage WFAS on a remote computer this way:

  • The remote computer must be accessible over the network.
  • There must be a firewall exception created and enabled for the WinRM service.
  • Access must be allowed from the computer you’re using to connect.

If all these requirements aren’t met, you’ll get an error message in PowerShell, telling you that By default, the WinRM firewall exception for public profiles limits access to remote computers that are on the same local subnet.

Now let’s do something that’s a little more complex. We’ll remove a firewall rule named BlockFirefox from WFAS on Alpha1. Here’s how to do that:

$RemoteSession = New-CimSession –ComputerName Alpha1
Remove-NetFirewallRule –DisplayName “BlockFirefox” –CimSession $RemoteSession -Confirm

Summary

We’re moving right along in this series of articles on managing security in Windows Server 2012 using command line utilities and PowerShell. You’ll recall that in Part 1, we provided an overview of how to use Certutil.exe and PowerShell cmdlets to install and manage the Certificate Services role. Then in Part 2, we took on the Windows Firewall with Advanced Security, and discussed how you can use the netsh advfirewall command to configure and manage it. Here in Part 3, we looked into the most common aspects of how to use PowerShell cmdlets for configuring and managing WFAS.

I hope this series has been helpful to you. If you have ideas about other security-related tasks and configurations related to Windows Server 2012 that you’d like to know how to do with Windows PowerShell, let me know and I can extend the scope of this series to include them. Write to me at dshinder@windowsecurity.com or deb@shinder.net .

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

Featured Links