configure ip address, file shareing, and windows 7 firewall

[carriecelery]

I needed something to quickly configure static IP addresses and enable fileshareing for multiple machines on my subnet. I wrote this and it seems to work. I don't know that much about firewalls and security, so if someone can point out anything I may have missed, or suggest an improvement, it would be appreciated.

expandcollapse popup

;~ Revision 2014-07-13
;~ Written for Microsoft Windows 7 Home Premium SP1 x64
;~ This script requires the "Secondary Logon" service. Please ensure that "Secondary Logon" is not disabled.

$admin_account="Administrator" ; The name of any account that has administrative privileges.
$admin_password="password" ; The password associated with the aforementioned administrative account.
$connection_name="Local Area Connection" ; The name of the Ethernet connection.
$static_net="192.168.1." ; The first three octets and dots of IP addresses on the subnet.
$static_base="2" ; The fourth octet of the static IP address. If left blank, a random address will be assigned.
$subnet_id="24" ; The subnet mask ID. 24 is the same as 255.255.255.0 and 32 is the same as 255.255.255.255
$lan_gateway="1" ; The fourth octet of the IP address of the router or gateway on the subnet.
$primary_dns="208.67.222.222" ; The IP address of OpenDNS service. Secondary is 208.67.220.220
$secondary_dns="8.8.8.8" ; The IP address of Google Public DNS service. Secondary is 8.8.4.4

If $static_base="" Then
    $static_base=Random(2,254,1)
    Do
        $static_base=Random(2,254,1)
    Until $static_base<>127
EndIf

_Static_DNS()
_Firewall_Enable()
Exit

Func _Static_DNS()
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\system32\arp.exe -d *",@SystemDir,@SW_HIDE) ; Resets the ARP table.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\ipconfig.exe /flushdns",@SystemDir,@SW_HIDE) ; Resets the DNS cache.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\system32\netsh.exe interface teredo set state type=disable",@SystemDir,@SW_HIDE) ; Disables the Teredo interface.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\system32\netsh.exe interface ipv6 6to4 set state state=disabled",@SystemDir,@SW_HIDE) ; Disables IPv6 to IPv4 datagrams.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\system32\netsh.exe interface ipv4 set address name="""&$connection_name&""" source=static address="&$static_net&$static_base&"/"&$subnet_id&" gateway="&$static_net&$lan_gateway&" store=persistent",@SystemDir,@SW_HIDE) ; Disables DHCP by assigning the IP address, subnet mask, and gateway.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\system32\netsh.exe interface ipv4 set dnsservers name="""&$connection_name&""" source=static address="&$primary_dns&" register=both validate=no",@SystemDir,@SW_HIDE) ; Assigns the primary DNS address.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\system32\netsh.exe interface ipv4 add dnsservers name="""&$connection_name&""" address="&$secondary_dns&" index=2 validate=no",@SystemDir,@SW_HIDE) ; Assigns the secondary DNS address.
EndFunc

Func _Firewall_Enable()
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall set allprofiles state on",@SystemDir,@SW_HIDE) ; Enables the Windows firewall.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall reset",@SystemDir,@SW_HIDE) ; Resets the Windows firewall.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule group=""File and Printer Sharing"" new enable=Yes",@SystemDir,@SW_HIDE) ; Allows File & Printer Sharing through the Windows firewall.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (Echo Request - ICMPv4-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts ICMPv4 ping requests to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (Echo Request - ICMPv6-In)"" new profile=any remoteip=fe80:0:0:0:0:0:"&$static_net&"0/120",@SystemDir,@SW_HIDE) ; Restricts ICMPv6 ping requests to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (LLMNR-UDP-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 5355 Link Local Multicast Name Resolution to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (NB-Datagram-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 138 NetBIOS Datagrams to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (NB-Name-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 137 NetBIOS Name Resolution to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (NB-Session-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 139 NetBIOS Session Service to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (SMB-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 445 Server Message Blocks to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (Spooler Service - RPC)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts Print Spooler Service to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""File and Printer Sharing (Spooler Service - RPC-EPMAP)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts RPCSS Print Spooler Service to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""Remote Assistance (DCOM-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 135 Remote Assistance to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""Network Discovery (NB-Name-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 137 Network Discovery to within the current subnet only.
    RunAsWait($admin_account,@ComputerName,$admin_password,0,"C:\Windows\System32\netsh.exe advfirewall firewall set rule name=""Remote Service Management (NP-In)"" new profile=any remoteip="&$static_net&"0/"&$subnet_id,@SystemDir,@SW_HIDE) ; Restricts port 445 Remote Service Management to within the current subnet only.
EndFunc

Edited July 14, 2014 by carriecelery

[carriecelery]

I forgot to mention a configuration I am using. To prevent DNS leaks it is recommended to disable IPv6. The following registry key will disable IPv6 in Windows 7. Copy this code into a "New Text Document.txt" and rename it to "DisableIPv6.reg" Run it and reboot.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
"DisabledComponents"=dword:ffffffff