Happy SysAdm: Disabling Windows firewall in Powershell

Wednesday, March 13, 2013

Disabling Windows firewall in Powershell

There is a simple way to enable or disable Windows Firewall with netsh, but I wanted to get rid of it and explore the capabilities of Windows Powershell to accomplish the same task.

In Powershell 2.0, which lacks those brilliant cmdlets to manage the network configuration, the first step is to create a COM object to expose some useful methods to manage our Firewall configuration.

Starting with Windows 7 and Windows 2008 R2, the object that we need is called HNetCfg.FwPolicy2.

Using Get-Member we can find the properties and methods for this object:

New-Object -ComObject HNetCfg.FwPolicy2 |
  get-member * |
  select name, membertype |
  format-table -autosize

Name                           MemberType
----                           ----------
EnableRuleGroup                Method
IsRuleGroupEnabled             Method
RestoreLocalFirewallDefaults   Method
BlockAllInboundTraffic         ParameterizedProperty
DefaultInboundAction           ParameterizedProperty
DefaultOutboundAction          ParameterizedProperty
ExcludedInterfaces             ParameterizedProperty
FirewallEnabled                ParameterizedProperty
IsRuleGroupCurrentlyEnabled    ParameterizedProperty
NotificationsDisabled          ParameterizedProperty
UnicastRespo...abled           ParameterizedProperty
CurrentProfileTypes            Property
LocalPolicyModifyState         Property
Rules                          Property
ServiceRestriction             Property

We can immediately spot the property whom we might use to do what we want: it is FirewallEnabled, which is an extendedproperty. Let's check its properties:

(New-Object -ComObject HNetCfg.FwPolicy2).firewallenabled

IsSettable          : True
IsGettable          : True
OverloadDefinitions : {bool FirewallEnabled (NET_FW_PROFILE_TYPE2_)}
TypeNameOfValue     : System.Boolean
MemberType          : ParameterizedProperty
Value               : bool FirewallEnabled (NET_FW_PROFILE_TYPE2_) {get} {set}
Name                : FirewallEnabled
IsInstance          : True

Cool, now I said that in my script I want to disable the firewall for all the existing profiles, which are listed in the mentioned NET_FW_PROFILE_TYPE2 enumeration and are:

NET_FW_PROFILE2_DOMAIN = 1
NET_FW_PROFILE2_PRIVATE = 2
NET_FW_PROFILE2_PUBLIC = 4

These are called members of the enumeration.

Nothing easier than running through an array and passing all its elements to FirewallEnabled and set its value to $false.

Here's the function I came up with:

Function Manage-Firewall{
  <# 
  .SYNOPSIS 
  Enable or disable the Windows firewall.
  
  .DESCRIPTION 
  Enable or disable the Windows firewall.
 
  .PARAMETER action
  The action you want to perform on the firewall.

  .EXAMPLE
  manage-firewall -action disable
  Disable the firewall

  .EXAMPLE
  manage-firewall -action enable
  Enable the firewall

  .NOTES
  Author: happysysadm.com
#>
  Param(
    [Parameter(Position=1,Mandatory=$True)]
    [ValidateSet("Enable","Disable")]
    [String]$Action="Disable"
  )
  $fwMgr = New-Object -ComObject HNetCfg.FwPolicy2
    @(1,2,4) | %{
   if($Action -match "enable")
        {$fwMgr.FirewallEnabled($_) = $True}
      else
     {$fwMgr.FirewallEnabled($_) = $False}
 }
}

Manage-Firewall -Action disable

Of course you can modify this script to manage the firewall only for Domains or only for Public network connections. This is up to you. I just wanted to show a quick way or replacing the good old netsh command and learn something new.

Feel free to share your advice on this script!