Firewall management in Server Core, Part 1

In Server Core installations of Windows Server 2008 the Windows Firewall is enabled by default. This means it’s locked up by default and offers little weakness towards unfriendly administrators and users. When you want to do something with your Server Core box you might want to open up the Windows Firewall a little bit to allow certain types of traffic.

 

From the console

First let’s look at managing the Windows Firewall from the Console of your Server Core box.

Disabling the firewall

To completely disable the firewall you can use the following commandline command straight from the console of your Server Core box:

netsh firewall set opmode disable

I should point out you should avoid using this command because it eliminates the firewall as a security measure completely, which is a bad thing. Temporarily disabling the firewall might be useful to troubleshoot network connectivity though. The command to enable the firewall after you successfully troubleshooted the problem is:

netsh firewall set opmode enable

Opening up the firewall

There are three ways to open up the Windows Firewall from the console of your Server Core box, without compromising the security of the system all together. You can:

  1. Enable specific services
  2. Open specific ports or specific port ranges
  3. Allow specific programs

To enable service exceptions

The Windows Firewall in a Server Core installation of Windows Server 2008 comes with a couple of default firewall exceptions. You can enable these exception to allow specific types of traffic through the firewall. For example, to allow File and Printer Sharing you can run the following command:

netsh firewall set service fileandprint

If at any point you need help with the set service command just type netsh firewall set service which will show you some help. Extra command line switches may allow you to specify another firewall profile and/or specify a firewall scope. (all, subnet or custom)

To open specific ports

If your situation demands you open up specific ports to allow incoming traffic through your firewall you can add specific port openings in your firewall. You can specify whether the traffic is UDP or TCP, which port number you’d like to open and which name you’d like to give your portopening, like this:

netsh firewall set portopening protocol=TCP | UDP port=PortnumberHere name=AnyNameHere

If at any point you need help with the set service command just type netsh firewall set portopening which will show you some help. Extra command line switches may allow you to specify another firewall profile and/or specify a firewall scope. (all, subnet or custom)

To allow specific programs

Another way to open up the firewall is to allow specific programs to communicate with the outside world. The Windows Firewall will allow any traffic to the executables you specify. Again you can also specify a name for the rule. Use this command to allow specific programs:

netsh firewall set allowedprogram program=FullPathToExecutable name=AnyNameHere

If at any point you need help with the set service command just type netsh firewall set allowedprogram which will show you some help. Extra command line switches may allow you to specify another firewall profile and/or specify a firewall scope (all, subnet or custom)

Using Advanced Firewall commands

Alternatively you can use the spanking new Advanced Firewall, which enables you to control incoming as well as outgoing traffic, allows you to edit the firewall configuration in offline mode, (so you can change the settings, without committing any changes yet) monitor connections and import/export your firewall configuration.

There’s a nice webpage with more information on the Advanced Firewall functionality here. It shows you how to change settings through the commandline and how to change them using Group Policies.

 

Through Group Policy

Another way to manage the Windows Firewall on your Server Core box is to use Group Policy Objects. You can edit the local group policy of your Server Core box from a remote Windows box, which is useful if you want to set the settings in a graphical user interface for small amounts of Server Core boxes.

Alternatively you may harness the power of Active Directory, to change the settings on loads of Windows Server 2008 (Server Core) boxes automatically and without loads of administrative effort.

The settings for Windows Firewall are located in the WindowsFirewall.admx Administrative Template are located in the Computer Configuration part of the policy. The template includes the following settings for both the Standard Profile and the Domain Profile:

  • Allow Authenticated IPSec Bypass
  • Allow ICMP exceptions
  • Allow inbound file and printer sharing exception
  • Allow inbound remote administration exception
  • Allow inbound Remote Desktop exceptions
  • Allow inbound UPnP framework exceptions
  • Allow local port exceptions
  • Allow local program exceptions
  • Allow logging
  • Define inbound port exceptions
  • Define inbound program exceptions
  • Do not allow exceptions
  • Prohibit notifications
  • Prohibit unicast response to multicast or broadcast requests
  • Protect all network Connections

 

Concluding

Completely disabling the Windows Firewall is a tempting way to circumvent the security measures in Windows Server 2008. As an alternative this blogpost shows you how to selectively and gradually open up the Windows firewall from the console of your Server Core box. For the faint of heart I included some hints to edit the local group policy.

Enterprise admins will probably already have a Windows Firewall policy in place, which they only have to adapt to manage Windows Server 2008 Server Core boxes.

Further reading

Group Policy Settings Reference Windows Server 2008 Beta 3
Command line firewall configuration
Netsh Command Line Switches And Examples For Windows 2003 And Windows XP
Wonderful Netsh
Networking and firewall
Managing Windows Firewall with Netsh
Improvements to the Windows firewall in Vista
How to configure the new Windows Server 2008 advanced firewall MMC snap-in
Still Very Much Alive and Kicking – netsh
New Networking Features in Windows Server 2008 and Windows Vista
The New Windows Firewall in Windows Vista and Windows Server 2008
Using the Netsh Advfirewall Command-Line Tool

Disclaimer Beta Software

The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

Series Navigation

Firewall management in Server Core, Part 2 >>

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.