Windows Firewall can be a minorly tricky subject when it comes to the configuration at a level with scalability. After connecting with Microsoft it appears the three main options are

1: Group Policy <– Imagine your GPEdit to reflect 1000+ lines of custom configurations for each server in your environment. 2: Desired State Configuration <– Can this be automated easily without a hassle and a lot of technical programming knowledge 3: WMI <– Slow as is everything else in WMI 4: Manual Setup <– ICK! 4: Don’t use it <– Not an option for us

DSC works by generating a MOF file that the client machine read’s to the kick itself into it’s desired state. The client-side digests the file via SMB/HTTP/HTTPS and then ensure’s its configuration is up to date. An interval can be set in the parameters of SetConfiguration but what we really want out of this is can we dynamically generate these .MOF files on the fly to then push to our servers. Let’s take a look at the PowerShell code example and the .MOF it produces to see what it looks like.

You will need a copy of the PowerShell modules below to copy into your Modules folder on your local test machine.

xNetworking

#Unpack xNetworking to the following folders
#C:\Program Files\WindowsPowerShell\Modules
#C:\Program Files (x86)\WindowsPowerShell\Modules
#https://gallery.technet.microsoft.com/scriptcenter/xNetworking-Module-818b3583
Configuration DSCFirewallRule
{
    param
    (
        [string[]] $NodeName = 'localhost'
    )

    Import-DSCResource -ModuleName xNetworking

    Node $NodeName
    {
        xFirewall Firewall1 
        {
            Access      = 'Block'
            Name        = 'NotePadFirewallRule'
            DisplayName = 'Firewall Rule for Notepad.exe'
            Ensure      = 'Present'
            Profile     = ('Domain', 'Private')
            Direction   = 'OutBound'
            RemotePort  = ('8080', '8081')
            LocalPort   = ('9080', '9081')
            Protocol    = 'TCP'
            Description = 'Firewall Rule for Notepad.exe'
            Service = 'WinRM'
        }

        xFirewall Firewall2 
        {
            Access      = 'Allow'
            Name        = 'NotePad++FirewallRule'
            DisplayName = 'Firewall Rule for Notepad++.exe'
            Ensure      = 'Present'
            Profile     = ('Domain', 'Private')
            Direction   = 'OutBound'
            RemotePort  = ('8082', '8084')
            LocalPort   = ('9086', '9085')
            Protocol    = 'TCP'
            Description = 'Firewall Rule for Notepad++.exe'
            Service = 'WinRM'
        }

    }

}

DSCFirewallRule
Start-DscConfiguration -Path .\DSCFirewallRule -Wait -Force -Verbose 

Now, using the code above, it will generate a .MOF file to then use on the destination machines.

/*
@TargetNode='localhost'
@GeneratedBy=Mr. Hall
@GenerationDate=06/12/2018 16:55:22
@GenerationHost=myComputer
*/

instance of MSFT_xFirewall as $MSFT_xFirewall1ref
{
Description = "Firewall Rule for Notepad.exe";
 Direction = "Outbound";
 DisplayName = "Firewall Rule for Notepad.exe";
 ResourceID = "[xFirewall]Firewall1";
 RemotePort = {
    "8080",
    "8081"
};
 Name = "NotePadFirewallRule";
 Ensure = "Present";
 Protocol = "TCP";
 SourceInfo = "C:\\PowerShell\\DSC.ps1::13::9::xFirewall";
 Service = "WinRM";
 LocalPort = {
    "9080",
    "9081"
};
 ModuleVersion = "2.1.1";
 ModuleName = "xNetworking";
 Profile = {
    "Domain",
    "Private"
};
 Access = "Block";

};

instance of MSFT_xFirewall as $MSFT_xFirewall2ref
{
Description = "Firewall Rule for Notepad++.exe";
 Direction = "Outbound";
 DisplayName = "Firewall Rule for Notepad++.exe";
 ResourceID = "[xFirewall]Firewall2";
 RemotePort = {
    "8082",
    "8084"
};
 Name = "NotePad++FirewallRule";
 Ensure = "Present";
 Protocol = "TCP";
 SourceInfo = "C:\\PowerShell\\DSC.ps1::28::9::xFirewall";
 Service = "WinRM";
 LocalPort = {
    "9086",
    "9085"
};
 ModuleVersion = "2.1.1";
 ModuleName = "xNetworking";
 Profile = {
    "Domain",
    "Private"
};
 Access = "Allow";

};

instance of OMI_ConfigurationDocument
{
 Version="1.0.0";
 Author="Mr. Hall";
 GenerationDate="06/12/2018 16:55:22";
 GenerationHost="MyComputer";
};

Now, this is great news. The .MOF file seems predictably easy to regenerate and giving the pattern above, I may be able to write a WebServer to generate out the following pattern and have it pushed to a remote machine, I’ll give it a shot later this week and post the results. Thing’s are looking pretty promising.

Great src on this topic: https://blogs.technet.microsoft.com/heyscriptingguy/2016/01/22/conceptualize-desired-state-configuration-part-5/

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax