Though you can get products that replace or enhance the built-in firewall on Windows machines, there are still signficant amounts of agents that rely on the Windows Firewall as the last line of defense between the outside world and one of your workstations. Getting the state of the firewalls is not as easy as you would think as it’s not always an “On/Off” situation for the Firewall as a whole.
Windows Firewall actually offers three firewall profiles, domain, private and public. It is actually possible to have the firewall active for only one or two of these profiles while having other profiles disabled leaving the endpoints insecure. This is where this bit of monitoring comes in; it assesses the state of each of the Firewall profiles and reports back in one long string.
In my experience it is pretty easy for these to be set once on a workstation and forgotten or users have Administrative privileges (naughty!) and they disable their own.
The good condition here is that the string does NOT contain the word “Off”.
If your RMM is stuck in the 2000s and requires you to run Powershell in a remote monitor from a hacked together batch file *COUGH CONNECTWISE* then this can be added straight in to a Remote monitor:
“c:\windows\system32\windowspowershell\v1.0\powershell.exe” -command “& {$content = netsh advfirewall show allprofiles;If ($domprofile = $content | Select-String ‘Domain Profile’ -Context 2 | Out-String){ $domainpro = ($domprofile.Substring($domprofile.Length – 9)).Trim()}Else { $domainpro = $null }If ($priprofile = $content | Select-String ‘Private Profile’ -Context 2 | Out-String){ $privatepro = ($priprofile.Substring($priprofile.Length – 9)).Trim()}Else { $privatepro = $null }If ($pubprofile = $content | Select-String ‘Public Profile’ -Context 2 | Out-String){ $publicpro = ($pubprofile.Substring($pubprofile.Length – 9)).Trim()}Else { $publicpro = $null };$FirewallObject = New-Object PSObject;Add-Member -inputObject $FirewallObject -memberType NoteProperty -name \”FirewallDomain\” -value $domainpro;Add-Member -inputObject $FirewallObject -memberType NoteProperty -name \”FirewallPrivate\” -value $privatepro;Add-Member -inputObject $FirewallObject -memberType NoteProperty -name \”FirewallPublic\” -value $publicpro;$FirewallObject -join ‘,’}”
For other RMMs, the generic Powershell:
$content = netsh advfirewall show allprofilesIf ($domprofile = $content | Select-String ‘Domain Profile’ -Context 2 | Out-String){ $domainpro = ($domprofile.Substring($domprofile.Length – 9)).Trim() }Else { $domainpro = $null }If ($priprofile = $content | Select-String ‘Private Profile’ -Context 2 | Out-String){ $privatepro = ($priprofile.Substring($priprofile.Length – 9)).Trim() }Else{ $privatepro = $null }If ($pubprofile = $content | Select-String ‘Public Profile’ -Context 2 | Out-String){ $publicpro = ($pubprofile.Substring($pubprofile.Length – 9)).Trim() }Else { $publicpro = $null }$FirewallObject = New-Object PSObjectAdd-Member -inputObject $FirewallObject -memberType NoteProperty -name “FirewallDomain” -value $domainproAdd-Member -inputObject $FirewallObject -memberType NoteProperty -name “FirewallPrivate” -value $privateproAdd-Member -inputObject $FirewallObject -memberType NoteProperty -name “FirewallPublic” -value $publicproWrite-Output $($FirewallObject -join ‘,’)
And to remediate:
NetSh Advfirewall set allprofiles state on