Windows Firewall is a personal host-based firewall included in the Windows Server 2003 and Windows XP Service Pack 2 (SP2) OSs. You can use Netsh to audit Windows Firewall configurations by enumerating configured exceptions (aka firewall rules) on users' computers. But before I show you how to perform this type of audit, let's look at when you might want to do so.
Special Rules for Special Users
Windows Firewall is popular because it's free and you can centrally manage it with Group Policy. Windows Firewall supports two profiles. The OS uses the domain profile when the computer is connected to the company's network (assuming the company has a domain) and the standard profile when the computer is connected to any other network. Generally, administrators configure the domain profile with broader access rules and lock down the standard profile.
Some power users or users who routinely connect to other networks might require custom access levels, which usually means more open ports or allowed applications in the firewall. You might be able to create a Group Policy Object (GPO) permitting these custom access levels if your company is small or if relatively few users need them. However, many companies don't have the technical or political capability to keep every remote computer locked down by using centrally managed rules and might concede to giving certain users administrative privileges so that those users can create their own exceptions. For example, suppose some developers need to demonstrate Web projects or other network services at clients' sites. These developers might be given the privileges they need to manage their own rules so they can allow the clients' computers to connect to a Web service hosted on their laptops. This situation happens more frequently than you might think. If your business requires this flexibility, you can use Netsh to tailor your security process to accommodate this concession and audit the firewall rules that these users create.
Getting Started
Netsh is a command-line tool that you can use to perform many network configuration tasks. You access its primary functions through contexts. A context is a group of commands specific to a networking component, such as DHCP, RAS, or WINS. In Windows 2003 SP1 and XP SP2, Netsh added the firewall context for inspecting and configuring Windows Firewall.
To run Netsh interactively, type
netsh
at a command prompt. To enter the firewall context, type
firewall
From here you can execute firewall-specific commands. For example, you can type
show state
to see the computer's firewall status. At any point, you can type
/?
for help or type
..
to return to the previous level. (This tool is hierarchical in nature.)
Typing one command at a time is great if you're exploring the tool's capabilities or you want to manually gather network configuration data from a computer. However, when you're automating Netsh through a script or scheduled job, it's expedient to chain your commands together. For example, at the command prompt, you can type
netsh firewall show state
which will run Netsh and output the firewall's state to the console. However, you'll return to the command prompt instead of remaining in the Netsh UI.
The Netsh firewall context runs locally, which means that you must run the Netsh command on the computer that you want to audit. If you want to configure the firewall context for a remote computer, you need to enable a remote access protocol (e.g., RDP) for a terminal services session or Telnet session and run these commands ad hoc. Alternatively, you can configure a computer startup script or user logon script to run the commands whenever a computer starts up or a user logs on. (Later, I'll show you how to use a logon script to check the configuration of workstations and save the configuration information in a central location.) If you use management software such as Microsoft Systems Management Server (SMS) or LANDesk Software's LANDesk, you can configure a job to regularly run Netsh on remote computers.