[HOWTO]: Pre-configure the windows firewall

[kC_]

hi.. just wondering if its possible to make a program/exe blocked from internet access automatically during unnatended instal?

thanks

[Radimus]

if the firewall is on, it should block everything, unless there is an opening.

see http://support.microsoft.com/kb/875357

[prathapml]

@Radimus

Everything is blocked, but at first run (for example), mIRC might ask for permission to access the internet. And I don't want to see that permission box (to allow or block) to come up at all, then what do I do? The below.

@kC_

Yes, must be possible.

Here's what you have to know:

1. Windows Firewall has 2 profiles, one which is used when it is independant. And another which is used when the PC is on a domain. So both can be configured differently. Remember to put entries for whatever programs you want to configure for firewall-access in both these keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

2. Configure the below settings (if you want to) for both keys (as I said above)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

3. Then, the actual blocking or allowing of programs is quite simple. Again, add the required program path in both keys. Below is an example of blocked and enabled executable, respectively:

; Windows Firewall policies

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%ProgramFiles%\\mIRC\\mirc.exe"="%ProgramFiles%\\mIRC\\mirc.exe:*:Enabled:mIRC"

"%ProgramFiles%\\mIRC\\mirc.exe"="%ProgramFiles%\\mIRC\\mirc.exe:*:Disabled:mIRC"

I think the pattern is like this-

path=path:ports:ED:title

where, title is what it is named (according to firewall) and ED is enabled or disabled. If you put a star character in the ports position, it is understood to be a setting for all ports (unlike port or subnet selective blocking).

Apply these registry settings at T-12 or at first-logon. Further, remember to use system variables, because using absolute paths is not good for portability. In all the above paths, double-slashes is a requirement.

Hoping this helps....

[kC_]

cool stuff. thanks! sorry for doublepost, but msfn timed out just as i posted, so i hit submit twice

cheers

kc

[prathapml]

I decided to make this a How-To thread. Hoping this helps everyone to enhance your unattend.

Pre-configure the windows firewall (part of XPSP2 and the upcoming Srv2k3SP1) - this is do-able thru the registry. (You can do it from netfw.INF, but IMO that involves too much effort).

Below is a sample WF config:

; Windows Firewall policies

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:Disabled:Remote Assistance"
"%windir%\\system32\\mmc.exe"="%windir%\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"%ProgramFiles%\\Yahoo!\\Messenger\\YPager.exe"="%ProgramFiles%\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"%ProgramFiles%\\Yahoo!\\Messenger\\YServer.exe"="%ProgramFiles%\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%ProgramFiles%\\messenger\\msmsgs.exe"="%ProgramFiles%\\messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%ProgramFiles%\\mIRC\\mirc.exe"="%ProgramFiles%\\mIRC\\mirc.exe:*:Enabled:mIRC"
"%ProgramFiles%\\Kazaa Lite Revolution\\kazaalite.kpp"="%ProgramFiles%\\Kazaa Lite Revolution\\kazaalite.kpp:*:Enabled:kazaalite"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:Disabled:Remote Assistance"
"%windir%\\system32\\mmc.exe"="%windir%\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"%ProgramFiles%\\Yahoo!\\Messenger\\YPager.exe"="%ProgramFiles%\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"%ProgramFiles%\\Yahoo!\\Messenger\\YServer.exe"="%ProgramFiles%\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%ProgramFiles%\\messenger\\msmsgs.exe"="%ProgramFiles%\\messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%ProgramFiles%\\mIRC\\mirc.exe"="%ProgramFiles%\\mIRC\\mirc.exe:*:Enabled:mIRC"
"%ProgramFiles%\\Kazaa Lite Revolution\\kazaalite.kpp"="%ProgramFiles%\\Kazaa Lite Revolution\\kazaalite.kpp:*:Enabled:kazaalite"

The above code is for a standard home PC - all application names are self-evident. Doing it as it is above, will block remote assistance for security, and also enable the below for usability:

- MMC needs to be enabled because diskeeper9 needs it

- The yahoo messenger and file-transfer and webcam enabling speaks for itself

- mIRC being enabled also needs no comment to help you understand!

- And KaZaA lite revolution (above) is for v2.6 to be allowed.