Skip to content

Enabling the Windows Firewall and Blocking Ports

Jump to bottom Edit New page
Brent Moberly edited this page Jan 14, 2015 · 2 revisions

Overview

In this tutorial, we'll start securing users' computers. Specifically, we'll enable the Windows Firewall (if it is not already enabled) and block ports used by known exploits.

Setup

This tutorial assumes that you have completed the tutorial, Checking security software, and have a version of the engine that will start and attempt to contact your web-server.

A note on examples

Our xml files are starting to get too long to include their full text inline in these tutorials. When you see this symbol external link in the text, you can click on it to view the xml in question.

Enabling the Windows Firewall

  1. Create a new xml file called networksecurity.xml with the following content:
<Content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://incert.incommon.org/schemas ../Schemas/tasklist.xsd">
  <Branches>
    <TaskBranch name="networksecurity.configure">
      <UserInterface.ActivateCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Configuring network security</ControlKey>
        </Properties>
      </UserInterface.ActivateCheckedParagraph>
      <Control.ReturnBranchResult>
        <Properties>
          <Branch>networksecurity.configure firewall</Branch>
        </Properties>
      </Control.ReturnBranchResult>
      <UserInterface.CompleteCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Configuring network security</ControlKey>
        </Properties>
      </UserInterface.CompleteCheckedParagraph>
    </TaskBranch>
  </Branches>
</Content>

Here, the networksecurity.configure branch will launch a series of child branches which will perform our actual configuration tasks.

  1. Add the following xml block to networksecurity.xml:
<TaskBranch name="networksecurity.configure firewall">
  <Control.ReturnLeaveBranchNextResult>
    <Conditions.All>
      <Firewall.IsFirewallEnabled profile="All"/>
    </Conditions.All>
  </Control.ReturnLeaveBranchNextResult>
  <UserInterface.SetCheckedParagraphSubtitle>
    <Properties>
      <Dialog>Main dialog</Dialog>
      <ControlKey>Configuring network security</ControlKey>
    </Properties>
    <Content>
      <ProgressParagraph settingKey="Configuring network security subtitle" margin="0,0,0,0" padding="0,0,0,0" style="InsetText">
        <Content>
          <DirectTextContent>Enabling Windows firewall</DirectTextContent>
        </Content>
      </ProgressParagraph>
    </Content>
  </UserInterface.SetCheckedParagraphSubtitle>
  <UserInterface.StartMessageTimer>
    <Properties>
      <SettingKey>Configuring network security subtitle</SettingKey>
    </Properties>
  </UserInterface.StartMessageTimer>
  <Firewall.EnableFirewall minimumTaskTime="3">
    <Properties>
      <Profile>All</Profile>
    </Properties>
  </Firewall.EnableFirewall>
</TaskBranch>

This branch will enable the Windows Firewall for all firewall profiles. The branch opens with Control.ReturnLeaveBranchNextResult task governed by a Firewall.IsFirewallEnabled condition. This task will exit the branch and return a NextResult if the Windows Firewall is already enabled. Otherwise, the Firewall.EnableFirewall will enable the firewall for all profiles. Note that both the Firewall.IsFirewallEnabled condition and Firewall.EnableFirewall both specify the "All" profile.

  1. In tasklist.xml, modify the Control.GetContentFromEndpoint xml block in your main branch as follows:
<Control.GetContentFromEndpoint>
  <Properties>
    <ContentName>banners.xml</ContentName>
    <ContentName>restorepoint.xml</ContentName>
    <ContentName>credentials.xml</ContentName>
    <ContentName>antimalware.xml</ContentName>
    <ContentName>systemintegrity.xml</ContentName>
    <ContentName>networksecurity.xml</ContentName>
  </Properties>
</Control.GetContentFromEndpoint>

This tells the engine to import the contents of networksecurity.xml at the start of the main branch.

  1. In tasklist.xml, add this xml block to your main branch. Put this block after the UserInterface.ChangeBanner task that displays the ConfigureProgressBanner:
<UserInterface.ChangeBanner>
  <Properties>
    <Dialog>Main dialog</Dialog>
    <Banner>ConfigureProgressBanner</Banner>
  </Properties>
</UserInterface.ChangeBanner>
    
<Control.ReturnBranchResult>
  <Properties>
    <Branch>networksecurity.configure</Branch>
  </Properties>
</Control.ReturnBranchResult>

Note: I've included the UserInterface.ChangeBanner block above for clarity. It only needs to appear once in your main branch.

  1. Upload tasklist.xml external link and networksecurity.xml external link to your server and run the engine. The engine should now evaluate the state of the Windows Firewall and enable it if necessary:
Add a custom footer
Add a custom sidebar
Clone this wiki locally