Translate

Monday, May 2, 2016

DONT DO THIS AT HOME! - Just for testing disable the local firewall with Powershell on new Windows Servers

I found while working with the advanced firewall under current Windows Server 2012R2 and newer that since an update (cant tell you which one) disabling the firewall may result in total loss of communication.




Which is in general a very good security practice.


For production machines it is always absolutelly recommended to have a fully operational firewall.




BUT under some circumstances it might be good to know if a newly introduced service is working in general to find out if a blocked port is causing issues or if it is the service itself.




In the past it was easy:
Simply shutdown the firewall on all profiles and you could test if it works or not.


But now its more complex. (PowerShell helps a lot here!)


Just to rembember:


1. Dont do this at home! (unskilled admins should stay away!)
2. Make sure you only do it in a save testing environment which is externally protected by a firewall. (Ok in these days firewalls are only a basic protection anymore!)
3. If you checked that your testing environment works well turn on the firewall again and add all needed firewall ports from your services documentation to make sure it works the way it was designed for!!!


Here how it works:


Open the PowerShell as admin and let run these 4 lines:


New-NetFirewallRule -DisplayName "Allow TCP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Outbound –LocalPort Any -Protocol TCP -Action Allow

New-NetFirewallRule -DisplayName "Allow UDP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Outbound –LocalPort Any -Protocol UDP -Action Allow


New-NetFirewallRule -DisplayName "Allow TCP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Inbound –LocalPort Any -Protocol TCP -Action Allow


New-NetFirewallRule -DisplayName "Allow UDP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Inbound –LocalPort Any -Protocol UDP -Action Allow









But last but not least you also need to Re-Enable the firewall function after your testing!


This is done with these steps:


Remove-NetFirewallRule -DisplayName "Allow TCP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"

Remove-NetFirewallRule -DisplayName "Allow UDP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"


Remove-NetFirewallRule -DisplayName "Allow TCP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"


Remove-NetFirewallRule -DisplayName "Allow UDP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"




No comments:

Post a Comment