I have a WiX installer project where I have added two firewall exceptions as part of the installer by using the WiX FirewallException. This works great when the client machine is using Windows Firewall, but I got a report that a user failed to get the solution running when using Norman's Personal Firewall. Some question regarding this:
Will other firewall products in general respect rules added to the Windows Firewall? If so - is this just an import or will firewall products always respect changes to Windows Firewall rules?
Are there any generic way to add firewall exceptions so that all/many of the firewalls will respect them during an installer such as the Firewall extensions in WiX?
Will usage of netsh result in firewall exceptions getting added to other products than Windows Firewall?
I believe the answer to all of that is no, no and no. This is one of the reasons that I don't even try to do any of this in my installs. I always encourage application development to write systems that don't need massaging of the firewall and/or get the systems engineers to work with documentation to properly document to the end user the networking requirements. I only attempt automagical in the installer if everyone understands it's a best effort attempt and that documentation must be available to assist users in integrating into their custom environment. That and I'm naturally adverse to having my way with users operating system configuration settings without their (true) consent.
Related
I am working on an installer of a windows application. Due to its dependencies, to make it work, multiple applications need to be installed and also some changes to the windows features (turning on some windows features) are required.
My installer is supposed to be used by companies. In companies, it can be the case that someone has the rights to install software (in program files folder) but is still restricted (for example updates are regulated by the IT department). A typical explanation for this is that someone is a local admin but not necessarily a global admin.
Can it be the case that someone is allowed to install software in the program files folder but restricted in enabling windows features? I need to know this because this would simply mean that my installer should not automatically/automated enable such windows features. It may work on my VM, but it can fail on the customer employee desktop which would cause the installation to fail due to missing rights for one specific action: enabling some windows features.
Can enabling Windows Features be blocked for local admins?
According to this answer there's no group policies to control Windows features. Therefore we could assume that you're safe for now.
After installing VS2019 16.5.1 and 16.5.2 I receive a message that Windows Defender has locked some features of Xamarin.Messaging.Broker and asking if I should allow it.
Normally I would as it seems to be part of Visual Studio but this executable is located in my appdata\local\temp file, which I would not expect it to be. Searching the net for info about this yields little in the way of good information.
Does anyoe know what it does and why on earth would you put an exe in the local user temp?
My message appear exactly after upgrade 16.5.0 to 16.5.3, We all see this message in 16.5.2 version and above.
So as far as we know this happened because microsoft add something new in 16.5.2 and above, It can't be anything except microsoft work since we all have seen this firewall message.
My file was in C:\users\username\appdata\local\temp\xamarin\xma\broker.local\16.5.000.533\broker.exe
This access will add a record in firewall advanced "Inbound Rules" Which means grant an access from outside to our PCs on UDP/TCP.
Conclusion :
Personaly i allowd this file in firewall because i have tons of problems in xamarin (special to connect to Mac) and i don't want to add more, I suggest you all do the same.
I don't know why it would be in that location, but this article lists the endpoints to allow for a xamarin firewall configuration. Perhaps it might assist in some way.
https://learn.microsoft.com/en-us/xamarin/get-started/installation/firewall
In VS2022 I just had this security alert just as I went to open the toolbox to add a Button to a new WPF project.
**Windows Defender Firewall has blocked some features of this app**
Name: Broker
Publisher: Xamarin
Path: C:\users\username\appdata\local\temp\xamarin\xma\local\broker\17.3.0.288\broker.exe
Allow Broker to communicate on these networks:
✔ Private networks, such as my home or work network
I refused it.
This is my first question on SO, and I am have tried to avoid it, but am forced to ask. I can't use FTP, as that's insecure. I can't use FTPS, as I can't introduce expiring cert overhead. WEBDAV over https isn't an option.
What would be ideal would be a firewall friendly robocopy, as that uses windows auth.
I am looking at powershell with BITS, but can't find what port it's using or it's requirements on Windows 2012 exclusively. Older systems have stated requirements that they need IIS, but I can't find that stated on Microsoft's sites anywhere:
https://www.google.com/search?hl=en&q=site%3Amicrosoft.com%20windows%202012%20bits
I looked on here and found 56 articles related to BITS. Example: How to use BITS in Powershell to upload / download files?
I tried performing the file transfer with powershell without caring about the port, but the automation of this is problematic, as I keep getting an error:
The operation being requested was not performed because
the user has not logged on to the network. The specified service does not
exist. (Exception from HRESULT: 0x800704DD)
And ultimately, the port matters because I have to go through a firewall.
I don't want to make an assumption that the requirements from earlier versions of BITS still apply, because Murhphy's Law says I will be burned by it.
Does anyone has a possible solution to this problem? One that doesn't involve the purchase or use of non-native tools. On Linux, I would solve this with SSH, exchange some keys, and it just works. Is there anything in the windows platform that does something similar and is native to the OS?
Here's one way:
http://www.nivot.org/post/2009/11/02/PowerShell20IntroducingThePModemFileTransferProtocol
It works over a WSMAN/PSRemoting session, so you can specify the port, use HTTPS.
My organisation produces a suite of Windows applications that make use of networking, and so when users run our software for the first time, the Windows Firewall (if it is running) brings up a pop-up, informing the user that our app(s) are trying to use the network, prompting the user to allow or deny access.
This occurs with plenty of other apps (Spotify, to give one example), but ee'd like to prevent these popups from happening, as they can be a bit problematic for our users. Some Applications (MSN Messenger, GoogeTalk) operate without ever causing the Firewall to alert the user, and we'd like to do the same.
We've successfully done this on Windows XP by having our installer write appropriate registry keys at:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
However, this does not have the same effect on Windows 7 - the Firewall popups still take place.
Any ideas how we can do this? (Our installers and software are all digitally signed.)
Thanks
Tom Davies
You can add exceptions to Windows Firewall by shelling out to netsh, a utility built into Windows, but the utility works differently on Windows XP and Windows 7. Here are the commands I used:
Windows XP:
add:
netsh firewall add allowedprogram mode=ENABLE profile=ALL name=[exception name] program=[program path]
remove:
netsh firewall delete allowedprogram profile=ALL program=[program path]
Windows 7:
add:
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=[in|out] name=[exception name] program=[program path]
remove:
advfirewall firewall delete rule profile=any name=[exception name]
I actually advise against making this an installer issue for several reasons:
There are multiple software firewalls
out there; you can't code and test
for all of them.
Some (such as the built-in windows
firewall ) have API's that won't
allow you to configure port
exceptions when the FW is disabled.
If the user later enables the FW you
are hosed again.
There could be external firewalls
that still get you.
Instead I prefer to make this a documentation effort so that users and administrators are fully aware of the networking requirements. I once had to goole Apple's website to figure out what ports iTunes needed and I swear to God they made it really hard to find as they tried to soften everything up for consumers.
However, if you want to give it a best faith effort in the install, WiX has a Custom Action extension for interacting with the firewall rather then writing your own Custom Action. Even if you are using another tool such as InstallShield, you can wrap this behavior up in a WiX merge module and then consume it with your primary tool of choice.
You can read about it here at:
Joy Of Setup Blog
and
WiX Documentation
In your installer (i.e. as elevated admin), you need to write code to access the Windows Firewall APIs and add your app as an exception
Is there any way to programmatically add an .exe file to the exception list for the Windows Vista firewall to allow it to run normally? I'm using VC++.
Yes - if you take a look at the WindowsFirewallAddApp method here, it should give you some ideas how to do it.
I don't know for certain about the Vista firewall, but I would defeinitely excpect that it is a violation of the security of any computer to allow programmatic access to firewall exception lists. I would be very surprised if Windows allowed arbitrary code to fiddle with the Firewall in this way.
The user sitting in front of the computer, or a network administrator setting network wide security policies would be the only two who should be able to do this. Notice that they are both actual people doing the process interactively.