5 Replies Latest reply on Feb 20, 2015 5:02 PM by Don Gonzales

    Managing Windows firewall

    Don Gonzales

      Is there a way to manage and apply rules for the windows firewall of servers managed with BSA

        • 1. Re: Managing Windows firewall
          Joe Piotrowski

          Can you give a specific example of what you want to accomplish?

           

          I would look at using command lines to query the information you're looking for. For example you can run:

          netsh advfirewall firewall show rule name="HomeGroup In"

           

          Which returns:

          Rule Name:                            HomeGroup In

          ----------------------------------------------------------------------

          Enabled:                              No

          Direction:                            In

          Profiles:                             Private

          Grouping:                             HomeGroup

          LocalIP:                              Any

          RemoteIP:                             LocalSubnet

          Protocol:                             TCP

          LocalPort:                            3587

          RemotePort:                           Any

          Edge traversal:                       No

          Action:                               Allow

           

          In this example, in your Component Template, you could create a Local Configuration Object > Extended Object that runs that command on your target, parses the data into a Name/Value format, and you can to Compliance Rules against it.

           

          You could also create remediation BLPackages with commands to remediate your out of compliance targets as well.

           

          In my experience, security settings are frequently ties to registry keys, so it's possible you can leverage security settings or registry keys for rules or remediation. But I'm not sure if firewall rules leverage them or not.

          • 2. Re: Managing Windows firewall
            Don Gonzales

            Hi Joe,

             

            What I want to do is add an entry with the following rule:

             

            BMC Required Ports

            Local Port: 135, 139, 445, 4750

            Remote Port: All Ports

            Remote IP: 10.0.4.0/24

             

            Don

            • 3. Re: Managing Windows firewall
              Bill Robinson

              ?you'll need to write your own wrapper for this w/ powershell or netsh - there's no native functionality.  once you have the eo worked out you can use that in a component template and do compliance on it.

               

               

              btw - once the agent is installed you don't need the windows share ports open.

              • 4. Re: Managing Windows firewall
                Joe Piotrowski

                Don, can you gather this information from a command line or a script? If so, we can create a compliance rule around it.

                • 5. Re: Managing Windows firewall
                  Don Gonzales

                  Hi Joe,

                   

                  Here it is...

                   

                  netsh advfirewall firewall show rule name="BMC Required Ports"

                  Rule Name:                            BMC Required Ports

                  ----------------------------------------------------------------------

                  Enabled:                              Yes

                  Direction:                            In

                  Profiles:                             Domain,Private,Public

                  Grouping:

                  LocalIP:                              Any

                  RemoteIP:                             10.0.4.0/24

                  Protocol:                             TCP

                  LocalPort:                            135,139,445,4750

                  RemotePort:                           Any

                  Edge traversal:                       No

                  Action:                               Allow

                  Ok.