Firewall management in Server Core, Part 2
A little while ago I showed how to manage the basic firewall in Windows Server 2008. Recently I found out the firewall team wants us to move to the Advanced Firewall commands, because netsh firewall can't:
- enable groups of rules;
- create rules for service;
- create rules that support multiple filtering criteria.
Although netsh firewall will get you a long way, I feel it's my responsibility to show you the equivalent advfirewall commands and some other neat tricks you can do when in the advfirewall context of netsh.
If your goal is to simply bump off the Windows Firewall in Server Core I suggest you stick to Part 1, because it will show you how to do that in shorter command lines, saving you the trouble of thinking altogether...
Using Netsh advfirewall
The advfirewall context of the Netsh command is pretty basic, but might seem very complicated when you're not used to it. David Davies did an excellent job on setting the basic (root), firewall, monitor and consec contexts apart from the dump, export, help, import, reset and show commands. To put it really dumb the first three are sort of subfolders, where the latter six are commands that you can readily use in the root context of advfirewall (which itself is a context within netsh, I know)
The root context and its commands
As describer earlier the root context (being netsh advfirewall) has six commands.
The Dump command allows you to make a configuration script. In the case of fat fingers or typos this script will allow you to recover to the situation when you made the dump. It's kind of snapshotting your configuration. In Server Core however this command does not seem to work...
- Export & Import
With the Export command you can export the firewall configuration (in Windows Firewall terms: the policy) to a file. The Import command allows you to use this file to import the policy. These two commands allow you to copy and paste firewall policies between different Windows boxes. (not limited to Windows Server 2008. You can import them into Windows Vista as well... and vice versa) Let me explain these two commands with two examples:
- To export a working configuration simply type:
netsh advfirewall export C:\firewallconfiguration.wfw
- To import a firewall configuration from a file, that you made using the export command use the following line of code:
netsh advfirewall import C:\firewallconfiguration.wfw
It so simple you could make a servicedesk employee do it... Perhaps it's only good advice to make this person restart the firewall service after importing the configuration, just to be sure. Restart the Windows Firewall using the following commands:
sc stop MpsSvc
sc start MpsSvc
The Reset command is very powerful. It allows you to reset the Windows Firewall configuration to default. (in Microsoft terms: out-of--box) In Server Core installations this means enabled and totally locked down, safe and sound.
The Show command proved to be my best friend. With the Graphical User Interface missing it might be hard to actually come up with a full picture of all the, profiles, and the global settings. The Show command can show you this information. All you need to do is type one of these commands:
netsh advfirewall show allprofiles or netsh advfirewall show *profile
Where you can replace * with current, domain, private or public to show basic information on the profiles and the firewall configuration associated with the profile.
netsh advfirewall show global
Which will show you the global settings for all profiles, mainly focusing on IPSec related settings like CRL checking behavior and key life time.
netsh advfirewall show store
Which will show you the settings for the policy store for the current interactive session.
The Help command is basically the technical drilldown of the contents of this blogpost. It will show you far more commands and options than showed here. Please Note that you can always place a question mark (after a space) after a command to get interactive help.
The firewall context and its commands
You can change from the root context (netsh advfirewall) to the firewall context (netsh advfirewall firewall) by typing firewall. The firewall context allows you to manage the rules-based firewall part of the Windows Firewall.
By default the Windows (Advanced) Firewall allows all (interactive) outbound connections and blocks most inbound connections (except for some core exceptions) as described in this Powerpoint presentation by Steve Riley. The approach to opening up the firewall is to allow inbound traffic piece by piece and block outbound traffic piece by piece.
The firewall context offers the following commands:
- Add rule
Adding firewall rules can be done with the Add command. In contrast with adding rules in the 'normal' firewall context (I mean: netsh firewall) you can literally dream up any rule you'd like using filtering criteria like localport, remoteport, rmtcomputergrp, rmtusrgrp and dir(ection). This goes way beyond the possibilities of the normal firewall context!
Fortunately enough most of these criteria and properties are set to a convenient default, so you don't have to type every criteria every time you make a rule.
Let's examine the firewall exceptions we've made in Part 1 of this series and see whether we can add some interesting filtering criteria:
- Enabling Service exceptions with a twist of lemon
To enable a service to communicate with the outside world is possible with in the normal firewall context. To enable it in a domain isolation environment is something else, but can be easily achieved using the following command:
netsh advfirewall firewall add rule name="RC DomComputers"
service=RemoteAdmin dir=in action=allow remoteip=localsubnet
- Opening up specific ports with a bit of pepper
Opening up a specific port is easy, but when coping with difficult network traffic protected by security-by-obscurity you might need to rely on the advfirewall. To open up your firewall for a TCP port to receive traffic from a range of TCP ports on the remote side use the following command:
netsh advfirewall firewall add rule name="Obscure Traffic"
protocol=TCP dir=in localport=2600 remoteport=9000-9100
- Allowing specific programs with a sidedish of preciseness
To make a rule to allow a specific program but not enabling the rule not just yet might be useful in situation where you need to rely on on-site persons but need to ship the server pre-configured. To make this specific rule for a specific program type:
netsh advfirewall firewall add rule name="DisabledRule"
program="FullPathtoExecutable" dir=out action=allow
- Delete rule
Making rules for the firewall is pretty useless if you can't delete them when you're done with them. This is where the Delete commands comes into play. Deleting rules is its game. To delete one of the previously made (but disabled) rules simply type:
netsh advfirewall firewall delete rule name="DisabledRule"
- Set rule
Instead of deleting and manually recreating rules whenever you need to change the specifics of a rule or make a typo you can use the Set command. I find this command brilliant because of it's simplicity. All you need to do is retype the statement you used to make the rule, replace add with set and type new in front of the property you want to change. For instance:
netsh advfirewall firewall set rule name="Obscure Traffic"
protocol=TCP new dir=out localport=2600 remoteport=9000-9100
- Show rule
This commands outputs the configuration of the rules-based firewall part of the Windows Firewall. You can easily check your configuration and configuration changes with this command.
The Help command can help you get on your way.
The consec context and its commands
The ConSec context basically controls the IP Security (or IPSec) part of the Windows Firewall. In case you don't have a clue what I'm talking about: IPSec is a method to encrypt data between hosts. (More info here) This is also rules-based and the commands for this context are close relatives to the commands for the firewall context:
- Add rule
Adding a new connection security rule can be done using the Add command.
For instance. To create a connection security rule for domain isolation using default values you can type:
netsh advfirewall consec add rule name="Domain Isolation"
endpoint1=any endpoint2=any action=requireinrequestout
This will result in an IPSec configuration where the server asks (requests) encryption when sending IP traffic and requiring (demanding) incoming IP traffic to be encrypted.
- Set rule
Instead of deleting and manually recreating connection security rules whenever you need to change the properties of a rule or make a typo you can use the Set command. Let me illustrate this with two examples:
- To rename the previously typed rule from Domain Isolation to Domain Default IPSec Policy you can type the following command:
netsh advfirewall consec set rule name="Domain Isolation"
new name="Domain Default IPSec Policy"
- To change the policy of the previously typed rule to make it request IP Security both inbound and outbound you can type:
netsh advfirewall consec set rule name="Domain Default IPSec
Policy" endpoint1=any endpoint2=any
- Delete rule
Making connection security rules is pretty useless if you can't delete them when you're done with them. This is where the Delete commands comes into play. To delete the previous rule you can simply type:
netsh advfirewall consec delete rule name="Domain Isolation"
- Show rule
This commands outputs the connection security rules within the Windows Firewall. You can easily check your configuration and configuration changes with this command. To show all your IPSec rules simply type:
netsh advfirewall consec show rule name=all
While this is really helpful, it also comes with a little handicap: You can't name any of your consec rules "All", but I guess you weren't going to do that anyway...
The Help command is basically your next step in discovering the power of the netsh advfirewall consec commands. The above examples aren't near anything you can actually accomplish with the commands.
The monitor context and its commands
To complete the IPSec integration into the netsh command line tool it offers monitoring of Security Associations. Security Associations (SA's) as Wikipedia puts it are secured connections between network hosts. From the point of view of your Server Core box the Security Associations are computers your box talks to in a secure manner. (using IPSec)
The context offers to commands:
- Show mmsa
The show mmsa command is the equivalent of the Main Mode folder in the Windows Firewall with Advanced Security Console (MMC) on Fullblown installations of Windows Server 2008. It shows all the Main Mode Security Associations (SA's), which means you find information on the endpoints of IPSec tunnels connected to your Server Core box.
- Show qmsa
The show qmsa command on the other hand is the equivalent of the Quick Mode folder in the Windows Firewall with Advanced Security Console (MMC). It shows information on the endpoints from an IPSec transport point of view.
You can use these commands to view all Security Associations of a specific type (mmsa or qmsa) followed by a specific endpoint (IPv4 or IPv6 address) or all.
When not utilizing IPSec or Domain Isolation this might not be a big thing to you, but if you are using it you can get some real good (troubleshooting) information here.
While using the netsh advfirewall it becomes clear three distinct tools from Windows Server 2003 found a home in the new Windows Firewall. First of all there is a new rules-based firewall which has pieces of Internet Security and Acceleration (ISA) Server thrown in. (mind you: ISA Server 2000-style, no ISA Server 2004/2006 rule ordering stuff) There's also the IPSec capabilities which were previously housed in the IPSec Management Consoles. Last but not least there's a nice little command line driven utility stashed away in the Monitor context to peek at Security Associations. (SA's)
Netsh advfirewall is a great set of tools and certainly deserves the central place the Windows Security Team wants it to have. Even if you're only going to use the firewall context and only going to make simple rules (by which I mean: no SDDL stuff) you'd see the benefit of using netsh advfirewall over netsh firewall.
How to Configure Windows 2008 Advanced Firewall with the NETSH CLI
942963 - The "netsh advfirewall consec" command does not preserve the order...
[PPT] WCI341 - Windows Vista firewall and IPSec enhancements
Managing Windows 2008 Server Core Local Settings
Windows Server 2008: Windows Firewall with Advanced Security
Student Tip: Installing Server Core Edition of Windows 2008 on ESX Server (Update)
How the Windows Firewall exception settings in the Group Policy administrative template work together with the Windows Firewall Control Panel program in Windows Vista
Unable to remotely manage a Server Core machine (MMC, WMI, Device Manager)
HOWTO: Adding a new rule for the Vista firewall using Netsh command
Security rules for Windows Firewall and for IPSec-based connections
Getting Started with Windows Firewall with Advanced Security
Remotely Managing Windows 2008 Server Core Firewall
Installing Windows Server 2008, as a Dedicated Print Server
Windows Server 2008 Security – Time to Fight Back!
Connecting Through Windows Firewall (Windows)
Introduction to Windows Firewall with Advanced Security
TechNet: Configure Windows Firewall using Netsh
Unable to remotely manage a Server Core
Implement IPSec on Windows Server 2003