Windows firewall inspector library question

system · June 22, 2009, 8:26pm

Using BigFix version 6.0

It appears the Windows firewall inspector interegates the following registry keys.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

We’re using group policy to enable / manage the Windows firewall. As a result, it appears the above local policy based registry keys do not accurately report on the state of the group policy managed Windows firewall.

Here are the group policy related keys that need to be interegated.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

Hoping someone knows of a group policy based inspector for the Windows firewall as our current firewall analysis would require a bit of rework to have it inspect all of the various group policy related registry keys / values for the Windows firewall.

Any thoughts or assistance would be greatly appreciated.

BenKus · June 23, 2009, 4:59am

(imported comment written by BenKus)

Hey Don,

I believe our inspectors are not based on the reg keys but based on the Microsoft APIs… Are you saying that the domain profiles are not working with the inspectors or that they are working but you want to exclude the domain profile?

Ben

system · June 26, 2009, 5:26pm

(imported comment written by Don65)

Hi Ben,

Essentially, standard firewall profiles are applied when you’re not connected to the domain and domain firewall profiles are applied when you are connected to the domain. The premise being that when I’m away from the office a more restirctive firewall profile can be applied as the risks are greater versus being in the office, behind the company firewall and having a less restrictive domain profile applied.

The above information doesn’t really have a bearing on the original question, however, wanted to provide some background.

There are two options for managing Standard and Domain profiles. The first option is via the local computer or local policy. This is not a desired approach as the management of the firewall is not centralized. The second approach involves using Group Policy to centrally manage the firewall.

In our scenario, group policy is managing the firewall, the firewall is enabled, however, the inspector is reporting the firewall as being disabled which is correct as the relevancy is querying local policy. However, local policy is not applicable as group policy is overriding the settings.

Q: firewall enabled of current profile of local policy of firewall

A: False

It appears the inspector is querying the two registry values below - then again, it could be an API call. If I change the values below to 1 the relevancy then reports back as True. Again, keep in mind these values have no affect as Group Policy is managing the firewall.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

“EnableFirewall”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

“EnableFirewall”=dword:00000000

The following registry values listed below control the firewall via Group Policy. Changing the values below from 1 to 0 doesn’t seem to affect the results reported back from the local policy inspector. Is there an inspector that reports on firewall settings that are managed by group policy?

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

“EnableFirewall”=dword:00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

“EnableFirewall”=dword:00000001

Don

BenKus · June 27, 2009, 4:45am

(imported comment written by BenKus)

Hey Don,

What does this return on your system:

Q: firewall enabled of domain profile of local policy of firewall

Ben

system · August 25, 2009, 9:55pm

(imported comment written by rmnetops91)

I had a similar issue.

In my case, my check was looking for machines where the firewall is in the OFF state, regardless of if it’s using domain profile, local profile, group policy controlled, or locally controlled. I wanted to identify any machines that do not have any form of windows firewall in the ON state.

Here is what I came up with:

firewall enabled of standard profile of local policy of firewall = false AND firewall enabled of domain profile of local policy of firewall = false