Windows Firewall can be a minorly tricky subject when it comes to the configuration at a level with scalability. After connecting with Microsoft it appears the three main options are
1: Group Policy <– Imagine your GPEdit to reflect 1000+ lines of custom configurations for each server in your environment. 2: Desired State Configuration <– Can this be automated easily without a hassle and a lot of technical programming knowledge 3: WMI <– Slow as is everything else in WMI 4: Manual Setup <– ICK! 4: Don’t use it <– Not an option for us
DSC works by generating a MOF file that the client machine read’s to the kick itself into it’s desired state. The client-side digests the file via SMB/HTTP/HTTPS and then ensure’s its configuration is up to date. An interval can be set in the parameters of SetConfiguration but what we really want out of this is can we dynamically generate these .MOF files on the fly to then push to our servers. Let’s take a look at the PowerShell code example and the .MOF it produces to see what it looks like.
You will need a copy of the PowerShell modules below to copy into your Modules folder on your local test machine.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
#Unpack xNetworking to the following folders #C:\Program Files\WindowsPowerShell\Modules #C:\Program Files (x86)\WindowsPowerShell\Modules #https://gallery.technet.microsoft.com/scriptcenter/xNetworking-Module-818b3583 Configuration DSCFirewallRule { param ( [string[]] $NodeName = 'localhost' ) Import-DSCResource -ModuleName xNetworking Node $NodeName { xFirewall Firewall1 { Access = 'Block' Name = 'NotePadFirewallRule' DisplayName = 'Firewall Rule for Notepad.exe' Ensure = 'Present' Profile = ('Domain', 'Private') Direction = 'OutBound' RemotePort = ('8080', '8081') LocalPort = ('9080', '9081') Protocol = 'TCP' Description = 'Firewall Rule for Notepad.exe' Service = 'WinRM' } xFirewall Firewall2 { Access = 'Allow' Name = 'NotePad++FirewallRule' DisplayName = 'Firewall Rule for Notepad++.exe' Ensure = 'Present' Profile = ('Domain', 'Private') Direction = 'OutBound' RemotePort = ('8082', '8084') LocalPort = ('9086', '9085') Protocol = 'TCP' Description = 'Firewall Rule for Notepad++.exe' Service = 'WinRM' } } } DSCFirewallRule Start-DscConfiguration -Path .\DSCFirewallRule -Wait -Force -Verbose |
Now, using the code above, it will generate a .MOF file to then use on the destination machines.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
/* @TargetNode='localhost' @GeneratedBy=Mr. Hall @GenerationDate=06/12/2018 16:55:22 @GenerationHost=myComputer */ instance of MSFT_xFirewall as $MSFT_xFirewall1ref { Description = "Firewall Rule for Notepad.exe"; Direction = "Outbound"; DisplayName = "Firewall Rule for Notepad.exe"; ResourceID = "[xFirewall]Firewall1"; RemotePort = { "8080", "8081" }; Name = "NotePadFirewallRule"; Ensure = "Present"; Protocol = "TCP"; SourceInfo = "C:\\PowerShell\\DSC.ps1::13::9::xFirewall"; Service = "WinRM"; LocalPort = { "9080", "9081" }; ModuleVersion = "2.1.1"; ModuleName = "xNetworking"; Profile = { "Domain", "Private" }; Access = "Block"; }; instance of MSFT_xFirewall as $MSFT_xFirewall2ref { Description = "Firewall Rule for Notepad++.exe"; Direction = "Outbound"; DisplayName = "Firewall Rule for Notepad++.exe"; ResourceID = "[xFirewall]Firewall2"; RemotePort = { "8082", "8084" }; Name = "NotePad++FirewallRule"; Ensure = "Present"; Protocol = "TCP"; SourceInfo = "C:\\PowerShell\\DSC.ps1::28::9::xFirewall"; Service = "WinRM"; LocalPort = { "9086", "9085" }; ModuleVersion = "2.1.1"; ModuleName = "xNetworking"; Profile = { "Domain", "Private" }; Access = "Allow"; }; instance of OMI_ConfigurationDocument { Version="1.0.0"; Author="Mr. Hall"; GenerationDate="06/12/2018 16:55:22"; GenerationHost="MyComputer"; }; |
Now, this is great news. The .MOF file seems predictably easy to regenerate and giving the pattern above, I may be able to write a WebServer to generate out the following pattern and have it pushed to a remote machine, I’ll give it a shot later this week and post the results. Thing’s are looking pretty promising.
Some of the hurdles that had to be made were
1: Adding Remote/Local Address to XFirewall
2: Creating a WebPage to then track and craft powershell scripts to then generate the MOF file.
3: Tracking the files that are GUID.mof format. We used the Guid in AD computer objects to then track this. A great source to reading up on this issue is here
Great src on this topic: https://blogs.technet.microsoft.com/heyscriptingguy/2016/01/22/conceptualize-desired-state-configuration-part-5/