Is this relevance correct to check if win10 firewall rules are enabled?

ceez 2022-12-30 18:08:52 UTC #1

Hey bigfix pros…

We have a fixlet that enables the following Win10 domain firewall inbound rules:

“File and Printer Sharing (SMB-In)”
“Remote Event Log Management (NP-In)”
“Remote Event Log Management (RPC)”
“Remote Event Log Management (RPC-EPMAP)”

I need a relevance to go with it since we continue to see all the Win10 computers come up as applicable.

Can someone let me know if this relevance statement would work:?

file exists "windows\system32\netsh.exe"
and ((not (netsh advfirewall firewall show rule name=“File and Printer Sharing (SMB-In)” profile=Domain | find “Enabled”))
or (not (netsh advfirewall firewall show rule name=“Remote Event Log Management (NP-In)” profile=Domain | find “Enabled”))
or (not (netsh advfirewall firewall show rule name=“Remote Event Log Management (RPC)” profile=Domain | find “Enabled”))
or (not (netsh advfirewall firewall show rule name=“Remote Event Log Management (RPC-EPMAP)” profile=Domain | find “Enabled”)))

Thanks!

vk.khurava 2023-01-01 13:51:16 UTC #2

No, this will not work ! you are trying to run CMD based parameter in relevance which is invalid.

You can try below relevance statement & expand it using OR to add more.

Q: rule group currently enabled "File and Printer Sharing" of firewall 
A: False
T: 267.615 ms

Q: rule group currently enabled "Remote Desktop" of firewall
A: True
T: 146.144 ms

Q: rule group currently enabled "Remote Desktop" of firewall OR rule group currently enabled "File and Printer Sharing" of firewall
A: True
T: 270.250 ms

Below Link might help with more analysis -
https://www.bigfix.me/analysis/details/2997974?force=true

Related Fixlet -
https://bigfix.me/fixlet/details/3974

ceez 2023-01-03 17:18:36 UTC #3

Thanks for that info, unfortunately I am not versed in the language and trying to put this together.

I think I can get what I want using the link you shared here https://bigfix.me/fixlet/details/3974

for last relevance how can I change it to check all 4 DOMAIN firewall inbound rules:

“File and Printer Sharing (SMB-In)”
“Remote Event Log Management (NP-In)”
“Remote Event Log Management (RPC)”
“Remote Event Log Management (RPC-EPMAP)”

The example they use is

not rule group currently enabled “Remote Desktop” of firewall

and I can replace Remote Desktop with a single service name such as

not rule group currently enabled “File and Printer Sharing (SMB-In)” of firewall

vk.khurava 2023-01-04 05:16:44 UTC #4

yes, see below -

Q: not rule group currently enabled "File and Printer Sharing (SMB-In)" of firewall OR not rule group currently enabled "Remote Event Log Management (NP-In)" of firewall OR not rule group currently enabled "Remote Event Log Management (RPC)" of firewall OR not rule group currently enabled "Remote Event Log Management (RPC-EPMAP)" of firewall
A: True
T: 202.715 ms