Powershell firewall script

 

 

I have now published two pages on this website that contain a script that is used to programme the firewall in Windows 10.

There were two versions of the script - but the thing they have in common is that they both use netsh instructions to programme the Windows firewall.

Microsoft keeps on threatening to kill off netsh, and advises people to use Powershell instead - so this is what I have now done - I have now written a Powershell script to programme the firewall in Windows 10 1809 - it is shown at the bottom of this page.

However there are a number of things that I came across when I was writing the script and it is worth recording them here.

 

Powershell script execution policy

By default in Windows 10 there is an execution policy that prevents Windows from running Powershell scripts - you can use the Powershell console, but scripts will not run.

Open the Powershell console with administrator rights and use the cmdlet

Get-ExecutionPolicy

By default this will return the word "restricted" - scripts cannot be run.

There are four levels of execution policy - the safest one to use in order to run a locally produced script is "unrestricted" - use the cmdlet

Set-ExecutionPolicy unrestricted

Locally produced Powershell scripts can now be run.

 

Strings containing multiple values

The script to programme the firewall makes extensive use of the cmdlet

New-NetFirewallRule

One of the arguments that is frequently used is to define port numbers - there is no problem if this is just a single port number - so for port 80 it would simply be

New-NetFirewallRule ......... -RemotePort 80 ........

The problem comes if the rule needs to apply to more than one port - for example port 80 and port 443.

I have failed to find a definitive way of writing this - there are three different ways depending on which website you look at.

The first is just a simple comma separated list as is used in the equivalent netsh command -

New-NetFirewallRule ......... -RemotePort 80, 443 ........

The second way is to write it as an array - and I have seen two different ways of doing it - using single quotes -

New-NetFirewallRule ......... -RemotePort @('80', '443') ........

or using double quotes -

New-NetFirewallRule ......... -RemotePort @("80", "443") ........

I have tried it using the comma separated list, and using an array with double quotes, and they both work - so which is the correct way I don`t know, even Microsoft doesn`t seem to want to tell me.

 

Double quotes

I discovered to my cost that Powershell is quite fussy about what type of double quotes are used in the script.

Digging through various character sets such as ASCII, Windows-1252, and UTF-8 I found at least seven different types of double quotes - and Powershell doesn`t like most of them.

I think the one it wants is the double quotes with the decimal value of 34 - I think that this is what a keyboard produces.

Beware of any kind of text editor that does things like substituting smart quotes - Microsoft Word is a classic example, but there are plenty of others.

 

netsh inside Powershell scipts

I discovered quite by chance that you can include netsh commands inside Powershell scripts and they work fine.

 

Powershell firewall script for Windows 10 1809

Here is the Powershell script to rewrite the policies and rule set of the Windows firewall - it is designed specifically for Windows 10 1809.

It is based on Powershell 5.1 which is the version of Powershell included on Windows 10 1809.

It does exactly the same things as the last script I wrote that was based on netsh.

It needs to be run with full administrator rights. 



Write-Host "-"

Write-Host "-"

Write-Host "-"

Write-Host "Powershell script for Windows firewall"

Write-Host "---------------------------------------------"

Write-Host "---------------------------------------------"

Write-Host "-"

Write-Host "-"

Write-Host "This script will completely rewrite the Windows Advanced Firewall ruleset on Windows 10, and possibly on Windows 8.1 and Windows 7."

Write-Host "-"

Write-Host "This script is designed specifically for Windows 10 1809 - it should not be used on any earlier version of Microsoft Windows."

Write-Host "-"

Write-Host "This script is based on Powershell 5.1 that is included on Windows 10 1809."

Write-Host "-"

Write-Host "It needs to be run as administrator."

Write-Host "-"

Write-Host "This script will break the operation of all services and applications that require network or internet access unless a specific firewall rule is created for each service and application."

Write-Host "-"

Write-Host "Do you want to proceed ?"

Write-Host "-"

Read-Host -Prompt "Press Enter to continue"

Write-Host "-"

Write-Host "Are you sure ?"

Write-Host "-"

Read-Host -Prompt "Press Enter to continue"

Write-Host "-"





Set-NetFirewallProfile -All -Enabled True


Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Block


Remove-NetFirewallRule




# dns


New-NetFirewallRule -DisplayName "dns-udp-53" -Direction Outbound -Action Allow -Enabled True -Profile Public -Protocol UDP -Remoteport 53



# dhcp


New-NetFirewallRule -DisplayName "dhcp4-udp" -Direction Outbound -Action Allow -Enabled True -Profile Public -Protocol UDP -Remoteport 67 -Localport 68



# firefox


New-NetFirewallRule -DisplayName "firefox-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Program Files\Mozilla Firefox\firefox.exe" -Protocol TCP -RemotePort 80,443




# defender


New-NetFirewallRule -DisplayName "defender-config-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" -Protocol TCP -RemotePort 80,443


New-NetFirewallRule -DisplayName "defender-mpcmdrun-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Program Files\Windows Defender\MpCmdRun.exe" -Protocol TCP -RemotePort 80,443


New-NetFirewallRule -DisplayName "defender-msmpeng-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Program Files\Windows Defender\MsMpEng.exe" -Protocol TCP -RemotePort 80,443


New-NetFirewallRule -DisplayName "defender-nissrv-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Program Files\Windows Defender\NisSrv.exe" -Protocol TCP -RemotePort 80,443




# svchost


New-NetFirewallRule -DisplayName "svchost-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Windows\System32\svchost.exe" -Protocol TCP -RemotePort 80,443




# edge


New-NetFirewallRule -DisplayName "edgeBCHost-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Windows\System32\MicrosoftEdgeBCHost.exe" -Protocol TCP -RemotePort 80,443


New-NetFirewallRule -DisplayName "edgeCP-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Windows\System32\MicrosoftEdgeCP.exe" -Protocol TCP -RemotePort 80,443


New-NetFirewallRule -DisplayName "edgeDevTools-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Windows\System32\MicrosoftEdgeDevTools.exe" -Protocol TCP -RemotePort @("80", "443")


New-NetFirewallRule -DisplayName "edgeSH-tcp-80-443" -Direction outbound -Action Allow -Enabled True -Profile Public -Program "C:\Windows\System32\MicrosoftEdgeSH.exe" -Protocol TCP -RemotePort @("80", "443")




Write-Host "-"

Write-Host "all done"

Write-Host "-"

Read-Host -Prompt "Press Enter to exit"

Exit

 

 

 

 

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

Link to the W3C website.   Link to the W3C website.