Skip navigation
Controlling Windows Firewall with PowerShell, Part 2

Controlling Windows Firewall with PowerShell, Part 2

Knowing the rules about firewall rules

In "Controlling Windows Firewall with PowerShell," I lamented the fact that too many folks shut off Windows Firewall because they don’t understand it, which is really not such a good idea these days. Not understanding Windows Firewall is no surprise, however, because although it really is a quality software firewall, it needs added complexity to reach that level of quality—which is why I need more than one article to cover it.

In that first article, I demonstrated that Windows Firewall can store three sets of firewall rules, or profiles, named Domain, Private, and Public. You can assign any of the three profiles to any NIC on your system. I also showed how to use the get-NetConnectionProfile cmdlet to see which of the three profiles is associated with each NIC, and how to use set-NetConnectionProfile to change the profile on any NIC, as long as that NIC’s profile is either Private or Public. (Windows automatically controls which NICs get the Domain profile.) Finally, I showed you get-NetworkProfile and set-NetworkProfile, which let you turn any given profile on or off, an all-or-nothing blocking or allowing of traffic into or out of your computer—unless there’s an exception. This month, I'll show you how to create those exceptions.

Punching a Hole for Remote Desktop

As an example, let’s take a configuration job we’ve already come up against: opening the ports for Remote Desktop. Depending on the situation and version, Remote Desktop might need either UDP or TCP incoming ports number 3389. In a previous article, I related the Netsh command to open the Remote Desktop ports, but as Netsh is both limited and deprecated, we’ll want to know the PowerShell way.

To open a port (or ports) in PowerShell, you first look for a currently existing “firewall rule” relevant to your need, then enable it with a cmdlet not surprisingly called enable-NetFirewallRule. But where do you look to determine whether there’s a rule that suits you? If browsing a GUI list is your style, open the Microsoft Management Console (MMC) and add the Windows Firewall with Advanced Security snap-in. In the upper part of the MMC’s leftmost pane, you’ll see folders labeled Inbound Rules and Outbound Rules. The names you’ll see, like Remote Desktop – User Mode (UDP-In), is the DisplayName of the rule. The rule also has a sort of internal name just called its Name (which can be either a spaceless string or a GUID), and you’ll want that sometimes. You can extract more information about the rule with get-NetFirewallRule, as in

get-netfirewallrule -DisplayName "Remote Desktop - User Mode (TCP-In)"

That will return the Name, a description, whether the rule is enabled, which profiles include it, whether it’s an incoming or outgoing rule, something called its DisplayGroup (which I’ll cover in a moment), and other info. You can then enable the rule either by referring to its DisplayName with the -DisplayName parameter or by using the Name with no parameter. For Remote Desktop, either of these commands enable incoming RDP traffic over TCP:

enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
enable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"

Note, by the way, that if your system gets a Group Policy that controls some particular Windows Firewall rule, all of the enable-NetFireWallRule-ing you do won’t get you anywhere. In this case, GPOs rule.

Some Rules Come in Groups

What’s that reference to a DisplayGroup? Well, in many cases, configuring a firewall to accommodate a Windows role or an application requires opening more than one port. For example, Windows Server 2012 R2 contains a firewall group called Active Directory Domain Services, and if you type

get-NetFirewallRule -DisplayGroup "Active Directory Domain Services"

you’ll see 17 firewall exceptions, from enabling pings to LDAP traffic to Network Time Services. The beauty of this is that if you want to get your firewall ready to get out of Active Directory's (AD’s) way, you needn’t enable 17 services separately. Instead, you can just type

enable-netfirewallrule -DisplayGroup "Active Directory Domain Services"

(I should note, however, that you'll probably never execute that particular command, as enabling the AD DS role on a server causes Server Manager to automatically enable that group.)

Now, you would think that whoever wrote the firewall PowerShell cmdlets would have created a noun like NetFirewallRuleGroup, as it might be nice to be able to type get-netfirewallrulegroup and see them all—but that won’t work. Instead, to see all the names of the rule groups, you’ll have to pull them out. With this one-liner, we’ll dump out every firewall rule, then extract the name of the group to which it belongs (if any). Then, you’ll pass just the group’s Name and DisplayName to Sort, which will remove the duplicates with the –unique parameter, like so:

get-netfirewallrule | select group,DisplayGroup | sort group -unique | format-table -auto

I got 46 groups on my DC. What did you get on yours? See you next month.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.