I created a firewall rule to block inbound port 138 using the local group policy editor (image 1 and image 2). When I run the Get-NetFirewallRule -DisplayName "" powershell command, I am not able to get the rule details though (Image 3). But when I try to query a rule that I did created using the windows firewall console, it works properly.
Is there any reason why the rule created through the Group policy was not detected whereas the one created through the windows firewall settings console was being detected?
Instead of
Get-NetFirewallRule -DisplayName ""
do
Get-NetFirewallRule -DisplayName 138_block
Related
The Windows Firewall blocks my application to connect to different databases. My application has an installer build using Install4j.
I am wondering if I can set Firewall rules during installation to allow JDBC connectivity, without asking the user to manually add rules or disable the Windows Firewall.
Running the application as an Administrator creates less issues with the Firewall. I can also set the executable to run as an Administrator, but this will prompt the user each time for rights.
In our install4j installer we used the "Run executable or batch file" action to add a firewall rule via netsh:
netsh advfirewall firewall add rule name="xxx" dir=in action=allow program="xxx" enable=yes
I tried to edit local group policy on Windows 10.
Steps:
I tried to change value for local group policy. Local Group Policy Editor Example: Computer Configuration/Administrative Templates/Windows Components/ Microsoft Defender Antivirus/Scan/ Name: "Scan archive files" Value "Enabled"
Next, I go to Registry Editor and find path "HKLM/Software/Policies/Microsoft/WindowsDefender/Scan" and find Disable Archive scanning with value 0
I tried to edit this value to 1 via GUI and PowerShell Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan\" -Name DisableArchiveScanning -Value 1. It value is changing for Registry Editor.
I run gpupdate
My policies do not changes.
What did I do wrong?
Is it possible to change policies via PowerShell?
UPDATED:
My target is change Local Group Policy remotely (best way via PowerShell). I found suggestion trying to change Registry Editor. Is it way to change Local group Policy remotely?
Also, I tried to change file C:/Windows/system32/GroupPolicy/Machine/Registry.pol
I found answer.
I can use PolicyFileEditor and related answer
After run PolicyFileEditor command you should run gpupdate and new policy is applied. I checked it by trying edit setting established by policy and value did not changes if you try to correct it. Value can be changed if you change policy. But in Local Group Policy Editor you can not see parameters changes.
Currently I am working on a project where I have to dockerize an application that is supposed to be running on Windows. It is an application that can be installed and configured via command line. The question is applicable to any application in the end.
The platform of my choice is obviously Windows. Therefore I have chosen a base image mcr.microsoft.com/windows/servercore:1803 to begin with.
After installation my application will need a rule added to Firewall. So I decided to test whether I am able to manipulate the firewall inside a container. It turned out a very problematic experience.
What I've done so far.
FROM mcr.microsoft.com/windows/servercore:1803
# Add user
RUN net user /add MyUser
RUN net user MyUser ABCdef123!
RUN net localgroup "Administrators" MyUser /add
After that I have tested whether I can see the FW rules by calling Get-NetFirewallRule. Tis resulted in an error :
Get-NetFirewallRule : There are no more endpoints available from the endpoint mapper.
At line:1 char:1
+ Get-NetFirewallRule
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_NetFirewallRule:root/standardcimv2/MSFT_NetFirewallRule) [Get-NetFirewallRule], CimException
+ FullyQualifiedErrorId : Windows System Error 1753,Get-NetFirewallRule
I checked the services that run currently by calling Get-Service which resulted in the list of services containing this line: Stopped mpssvc Windows Defender Firewall. Looks like the FW is not even started.
I decided to dig deeper and check registry for some clues. Calling this cmd REG QUERY HKLM\SYSTEM\CurrentControlSet\services\MpsSvc /v Start gave me a value of 4 which is Disabled. So i tried to enable it, setting it to 2 but no luck starting the service after:
REG ADD HKLM\SYSTEM\CurrentControlSet\services\MpsSvc /v Start /t REG_DWORD /d 2 /f
net start MpsSvc
Result:
System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
The dependent to FW services are running fine (BFE, RDC etc)
It just wont start.
Any clues from bright minds?
Thanks in advance!
Assuming you use Windows Server Container, not Hyper-V Container, you have a shared Kernel hence use the Host's firewall.
From Network Isolation and Security:
Depending on which container and network driver is used, port ACLs are enforced by a combination of the Windows Firewall and VFP.
Windows Server containers
These use the Windows hosts' firewall (enlightened with network namespaces) as well as VFP
Default Outbound: ALLOW ALL
Default Inbound: ALLOW ALL (TCP, UDP, ICMP, IGMP) unsolicited network traffic
DENY ALL other network traffic not from these protocols
Definitions:
using windows 10/64bit
firewall is blocking all in/out traffic - except added rules (allow in/out)
actual user-account is administrator
tested with all user-account-control (uac) settings: from always to never
Problem:
I have a script that worked fine with windows 7/64 bit, it adds right-click context menu items to .exe files, to add a firewall rule for them:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\FirewallAllowIncoming]
[HKEY_CLASSES_ROOT\exefile\shell\FirewallAllowIncoming\command]
#="netsh advfirewall firewall add rule name=\"%1\" dir=in action=allow program=\"%1\""
[HKEY_CLASSES_ROOT\exefile\shell\FirewallAllowOutgoing]
[HKEY_CLASSES_ROOT\exefile\shell\FirewallAllowOutgoing\command]
#="netsh advfirewall firewall add rule name=\"%1\" dir=out action=allow program=\"%1\""
it does not work in Windows 10.
Troubleshooting so far:
following command is working in command prompt (cmd.exe) if running as Administrator:
netsh advfirewall firewall add rule name=\"TEST\" dir=out action=allow program=\"C:\TEST.EXE\"
If not running cmd.exe as Adminstrator, it does not work and it shows a message, that i have to run as Adminstrator.
I believe, it has something to do with the uac - and if the right click context menu commands are clicked, they are not running as administrator and are not executed.
Any suggestions?
Thank you.
We have a web service that is running slowly in production. In QA and UAT it is fine but those are housed at our corporate HQs. But production is in a data center in the cloud. I ran wireshark and found that it is making at least 6 calls to NBNS WPAD (each one timing out), each taking about 3/4 of a second making it very slow. I want to turn off WPAD since the environment is not configured to use it but it is still making the calls and just wasting time.
My platform is windows server 2008 r2 with IE9. I want to completely disable WPAD DNS queries (and NBNS queries). We don't use a proxy. We don't use DHCP. I want to stop WPAD but I haven't been successful. I have tried the following:
1.disable "automatically detect settings" in IE
2.disable "use automatic configuration script" in IE
3.Checked that WinHTTP Web Proxy Auto-Discovery Service is not running automatically, it is set to run manual so I think that should be ok.
4.Executed "Netsh winhttp show proxy" which tells me Direct access (no proxy server).
What am I missing that needs to be turned off?
Many suggestions around disabling WPAD focus on Internet Explorer user settings. While this will tell IE to not use auto proxy detection, it will not stop the WinHTTP Web Proxy Auto-Discovery Service from querying for wpad. Some have suggested disabling this service entirely, but as of Windows 10, it is required for the IP Helper service and not recommended to disable it.
In the MS16-063 notes, you can see their suggested workaround for the (fixed) vulnerability is to edit the hosts file (c:\windows\system32\drivers\etc\hosts).
255.255.255.255 wpad.
Although the patch fixed that specific vulnerability, the workaround is still an option for disabling WPAD. In my testing, it does stop the queries. As the article notes:
Impact of workaround. Autoproxy discovery will not work, and for this reason, some applications, such as Internet Explorer, will not be able to load websites properly.
Keep in mind that WPAD can be a good thing when setup properly. As with any advice from the Internet, be sure to do your own testing before applying any changes. For example, if you make this change to corporate laptops and they travel to a site that requires WPAD, they will not work.
Source: Microsoft forums.
Note that you can easily use Wireshark to see if a computer is doing wpad queries by using the filter: dns.qry.name contains "wpad"
Group Policy Editor
Edit "Default Domain Policy"
User Configuration
Policies
Windows Settings
Connection/Automatic Browser Configuration
Automatically detect configuration settings -> DISABLE
I have tested removing proxy from computers by renaming the WPAD key and rebooting.
You can also use IEAK11 to create a GPO to remove "Automatically detect settings" and that is why the script uses gpupdate to apply the GPO as well.
If you already applied the change to a computer this script won't do changes and will exit. The basic script is bellow.
Even when you turn on in Internet Explorer "Automatically detect settings" proxy is not used and WPAD key is recreated but with no proxy. This setting is no longer recommended as makes your computer vulnerable (https://it.slashdot.org/story/16/08/13/0149241/disable-wpad-now-or-have-your-accounts-compromised-researchers-warn) .
REM Script to delete the cached proxy configuration, clear IE cache, flushdns, rename WPAD key and delete the original; reboot is required
gpupdate
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad.bad" >nul
if %ERRORLEVEL%==0 goto END
ELSE
(
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "DefaultConnectionSettings" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "SavedLegacySettings" /f
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
ipconfig /flushdns
reg copy "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad.bad"
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
echo n | gpupdate /force /wait:0
shutdown.exe /r /t 30 )
:END
for my pihole (Raspberry PI based ad blocking software DNS level) i added the below in the hosts file
pi#raspberrypi:~ $ cat /etc/hosts
127.0.0.1 localhost
0.0.0.0 wpad wpad.my.home
:: wpad wpad.my.home
and my nslookup shows
pi#raspberrypi:~ $ nslookup wpad.my.home
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: wpad.my.home
Address: 0.0.0.0
pi#raspberrypi:~ $ nslookup wpad
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: wpad
Address: 0.0.0.0
if you are on a Windows machine you can open "C:\Windows\System32\drivers\etc\hosts" and add these entries
0.0.0.0 wpad
0.0.0.0 wpad.my.home
change my.home to whatever local domain you have