Saturday, January 02, 2010

Opening Ports in Windows Firewall from Batch files

All of our systems run a single application/service that is auto-(re)-installed from a user login event script.

No biggie.  It’s kinda overkill but it is a critical application that could be deleted accidently.

It does require that we add some Windows Firewall port exceptions for custom IP addresses so it can have a clear shot through the Windows Firewall if the user accidentally or purposefully (say our laptop users) enable the firewall.

All of my own built system images for some time have had the custom port opening rules added in by default.

However, some older systems didn’t deploy with my image and didn’t have the port configured by default.  Since we are not an AD shop, it has meant going, upon request, to the users’ systems, verifying the application/service is running correctly, and then manually going into the Windows Firewall GUI to set the open port rule and custom scope.

Usually it’s not a big deal but sometimes it can be as it is disruptive to an end-user when we drop in and start suddenly adding Firewall port rules/exceptions to the system from the GUI.  Some end users are fairly PC savvy and it can generate some raised eyebrows and questions that add more time to the service job.

Recently I had completed another such assignment and wondered if I could just skip all the drama of having someone watch me set custom Windows Firewall port rules.  Maybe I could just make a silent-running and innocuous batch file that could quietly do all the work for me in the background while I focused on checking other system things.

Sure enough…I could…and it’s pretty easy as well.

GUI-based Windows Firewall Port Exceptions

Some applications and services need to be able to get out through the firewall.  Sometime “mothership” applications need to signal down to the client-side application/service.  Firewalls work to prevent those communications.

However if the communications inbound/outbound are legitimate and mission-critical, you need to open up a hole to talk-through.

Normally opening a hole in your security wall is dangerous as maybe someone unwanted could sneak in.  Windows uses communication “holes” called ports.  Actually I guess they are more like “channels” or frequencies rather than ports (windows) on the side of a ship.  Certain programs and services only talk on certain ports/channels.  Generally the firewall locks these down so the call can’t go through.  However, these can be opened up so that anyone/anything could talk on that port.

Sites like GRC | ShieldsUP! or McAfee’s Test Your Firewall, or SecurityMetrics Free Port Scan or PC Flanks can be used for free to test your system for open ports.

But what if you don’t want’ to leave a port open to everyone, even though you need to?  You can then set one more level of protection on your port by setting a custom rule to only allow traffic of a certain type and/or trusted IP address (or range) to flow through.

Firewalls are great but they can interfere with applications, games, and other communications from trusted programs that by design need to reach the network/Internet. 

Luckily Windows XP and higher does allow you to set these kind of special exceptions.  For most folks using the GUI method is simple enough and easy to do.

Unlike an exception, which is only open during the time that it is needed, a port stays open all the time, so be sure to close ports that you don't need anymore.

  1. Open Windows Firewall by clicking the Start button, clicking Control Panel, clicking Security, and then clicking Windows Firewall.

  2. Click Allow a program through Windows Firewall.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  3. Click Add port.

  4. In the Name box, type a name that will help you remember what the port is used for.

  5. In the Port number box, type the port number.

  6. Click TCP or UDP, depending on the protocol.

  7. To change scope for the port, click Change scope, and then click the option that you want to use. ("Scope" refers to the set of computers that can use this port opening.)

Which works just fine but takes a while to click through, enter the correct values (assuming you still remember them), and isn’t very discreet, particularly if the rule name sounds suspicious.

But a silent-running batch-file now that would be quick, surgical, and endoscopic.

I did find that Gammadyne’s Free DOS Utilities offers a free command-line tool FIREWALL.EXE for adding exceptions to the Windows Firewall but it wasn’t quite as granular as I was looking for.

Luckily, Windows XP (and a more advanced one in Vista/Windows 7) does contain just the command-line tool I needed.

NETSH to the CLI Firewall configuring rescue!

It didn’t take me too much effort to find the NETSH command and the wonderful tricks it could do:

These were great and gave me the basics that I needed to see my goal was possible to accomplish.

Then I found Penn State U’s fantastic page How To Add Programs and Ports to Windows XP SP2 Firewall Exceptions List. Not only did it have some basics, but it also has a unpackable collection of batch-files tailor-made for configuring Windows Firewall rules with these techniques; including both prompted and silent-running batch files with netsh commands.  It provides some great examples to use as starting points.

In the end, the heart of my own custom Windows XP Firewall batch file will contain a line like this:

netsh firewall add portopening TCP <my target port #> OPRule_<port#> ENABLE ALL CUSTOM <ip address #1,ip address #2>

where <my target port #"> is the specific one that our application/service communicates through, and where <ip address #1,ip address #2> are the specific IP addresses used the the “mothership” application that only will be allowed to solicit requests to the local client application through that specific port.

NETSH CLI References

The links above were great but they didn’t really help me understand and add the details like “ALL” which set the Windows Firewall port exception rule for all profiles on the system. Nor did it help me with the “CUSTOM” argument to detail which IP’s I needed to open up when setting the rule.  While the examples found showed how to open up a port number, it didn’t deal with setting the port to use the specific IP ranges that I wanted to only allow.

For those details I had to turn to these wonderful resources.

In my case specifically this portion (though the Appendix is rich with Netsh CLI goodness) is what I was interested in.

add portopening

Used to create a port-based exception.

Syntax:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

add portopening
[ protocol = ] TCP|UDP|ALL    
[ port = ] 1-65535    
[ name = ] name    
[ [ mode = ] ENABLE|DISABLE       
    [ scope = ] ALL|SUBNET|CUSTOM      
    [ addresses = ] addresses      
    [ profile = ] CURRENT|DOMAIN|STANDARD|ALL      
    [ interface = ] name ] 
Adds firewall port configuration. 
Parameters: 
protocol - Port protocol.    
    TCP  - Transmission Control Protocol (TCP).    
    UDP  - User Datagram Protocol (UDP).    
    ALL  - All protocols. 
port - Port number. 
name - Port name. 
mode - Port mode (optional).    
    ENABLE  - Allow through firewall (default).    
    DISABLE - Do not allow through firewall. 
scope - Port scope (optional).    
    ALL    - Allow all traffic through firewall (default).    
    SUBNET - Allow only local network (subnet) traffic through firewall.
    CUSTOM - Allow only specified traffic through firewall. 
addresses - Custom scope addresses (optional). 
profile   - Configuration profile (optional).    
    CURRENT  - Current profile (default).    
    DOMAIN   - Domain profile.    
    STANDARD - Standard profile.    
    ALL      - All profiles. 
interface - Interface name (optional). 
Remarks: 'profile' and 'interface' may not be specified together. 'scope' and 'interface' may not be specified together. 'scope' must be 'CUSTOM' to specify 'addresses'. 
Examples:    
     add portopening TCP 80 MyWebPort    
     add portopening UDP 500 IKE ENABLE ALL    
     add portopening ALL 53 DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255. 0.0.0,LocalSubnet    
     add portopening protocol = TCP port = 80 name = MyWebPort    
     add portopening protocol = UDP port = 500 name = IKE mode = ENABLE scope = ALL    
     add portopening protocol = ALL port = 53 name = DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

You can also use “netsh set portopening” to modify an existing port rule or “netsh delete portopening” to remove one from a batch-file or command line.

NETSH in Vista/Windows 7

Netsh is still present in Vista/Windows 7 but advances in the Windows Firewall design have demanded it be expanded to keep with the times.

In XP, you have to call the “netsh firewall” context when placing your add or set or delete portopening commands and arguments (along with all the other firewall-specific supported netsh commands). 

In Vista and Windows 7 that changes to now require "netsh advfirewall firewall" context to control Windows Firewall behavior.

  • How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista – Microsoft Help and Support Article ID: 947709.

    The netsh advfirewall firewall command-line context is available in Windows Server 2008 and in Windows Vista. This context provides the functionality for controlling Windows Firewall behavior that was provided by the netsh firewall context in earlier Windows operating systems.

    This context also provides functionality for more precise control of firewall rules. These rules include the following per-profile settings:

    Domain

    Private

    Public

      The netsh firewall command-line context might be deprecated in a future version of the Windows operating system. We recommend that you use the netsh advfirewall firewall context to control firewall behavior.

      Note The netsh firewall command line is not recommended for use in Windows Vista.

    And then there is this…

    • Netsh Commands for Windows Firewall with Advanced Security – Microsoft TechNet.

      Applies To: Windows 7,Windows Server 2008,Windows Server 2008 R2,Windows Vista

      Netsh advfirewall is a command-line tool for Windows Firewall with Advanced Security that helps with the creation, administration, and monitoring of Windows Firewall and IPsec settings and provides an alternative to console-based management. This can be useful in the following situations:

      When deploying Windows Firewall with Advanced Security settings to computers on a wide area network (WAN), commands can be used interactively at the Netsh command prompt to provide better performance than gnraphical utilities when used across slow-speed network links.

      When deploying Windows Firewall with Advanced Security settings to a large number of computers, commands can be used in batch mode at the Netsh command prompt to help script and automate recurring administrative tasks that must be performed.

      You must have the required permissions to run the netsh advfirewall commands:

      If you are a member of the Administrators group, and User Account Control is enabled on your computer, then run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

    From there (at least in my specific need) you then need to move on to either the

    or the

    Good stuff all the way round.

    Can’t wait to start deploying…

    Claus V.

    No comments: