Set Windows Firewall Group Policy Programatically

[Bilgus]

Recently I was looking for a way to set DefaultInboundAction and DefaultOutboundAction for Windows firewall

First I tried 'netsh.exe advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound'

However, it turns out group policy overrides these settings.

I then went looking for a way to set the Firewall group policy and the best I could find was making a policy and copying it to the system32\grouppolicy folder and then running gpupdate.exe /force

Instead of relying on such a rigid procedure I instead decided to parse the Registry.pol file and change the values within.

This code has only been tested on W7x64

The example as supplied sets the domain profile firewall off the sets it back to the previous settings after you click the message box

There are several options:

Func SetGroupPolicy_Firewall($iSetting, $iValue, $sPath, $sProfile = "")

Setting=0 Enable disable firewall , $iValue=0 Disable, $iValue=1 Enable

Setting=1 DefaultInboundAction, $iValue=0 Allow, $iValue=1 Block

Setting=2 DefaultOutboundAction, $iValue=0 Allow, $iValue=1 Block

Profile ="" SET ALL PROFILES

The profile can also be defined

Profile= Domain;Private;Public

Beware $iValue is only configured for 0 and 1 values there are a few more options on the inbound and outbound settings that I haven't given a way to set, so in this case you may need to copy back the registy.pol.bak file to revert to your previous settings

It doesn't seem to have any issues on reverting back to original settings if Block all Exceptions or NotConfigured are set It just won't work which in my case is acceptable

It wouldn't be too hard to add code to make these work as well:

"[SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" & CHRW(0) & ";DefaultInboundAction" & CHRW(0) & ";" & CHRW(4) & CHRW(0) & ";" & CHRW(4) & CHRW(0) & $iValue & CHRW(0) & "]"

;And Again for:
;[SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile;DoNotAllowExceptions;;;]

Do note that these would need to be added for each profile. Domain;Public;Private.

These locations do refer to actual registry locations but I haven't figured out a way to get those to change the group policy.

 

 

If you run into problems or make improvements let me know

a backup is saved as C:\Windows\System32\GroupPolicy\Machine\Registry.pol.bak just in case

 

expandcollapse popup

#RequireAdmin
#include <WinAPIFiles.au3>
Local $iLast
If @OSArch = "X64" And @AutoItX64 = 0 Then
    $iLast = SetGroupPolicy_Firewall(0, 0, @WindowsDir & "\SysNative\GroupPolicy\Machine\Registry.pol", "Domain")
    Run(@ComSpec & " /c " & "gpupdate.exe /force", "", @SW_HIDE)
Else
    $iLast = SetGroupPolicy_Firewall(0, 0, @WindowsDir & "\SysTem32\GroupPolicy\Machine\Registry.pol", "Domain")
    Run(@ComSpec & " /c " & "gpupdate.exe /force", "", @SW_HIDE)
EndIf
ConsoleWrite($iLast & ", ")
MsgBox(0, "When Ready", "press Ok to go back to previous settings")
If @OSArch = "X64" And @AutoItX64 = 0 Then
    $iLast = SetGroupPolicy_Firewall(0, $iLast, @WindowsDir & "\SysNative\GroupPolicy\Machine\Registry.pol", "Domain")
    Run(@ComSpec & " /c " & "gpupdate.exe /force", "", @SW_HIDE)
Else
    $iLast = SetGroupPolicy_Firewall(0, $iLast, @WindowsDir & "\SysTem32\GroupPolicy\Machine\Registry.pol", "Domain")
    Run(@ComSpec & " /c " & "gpupdate.exe /force", "", @SW_HIDE)
EndIf
ConsoleWrite($iLast & @CRLF)


Func SetGroupPolicy_Firewall($iSetting, $iValue, $sPath, $sProfile = "")

    Local $sCommand, $sSearch, $sFile
    Local $hFile
    Local $iFileEnd, $iLenSearch, $iFound = 0, $iError = 0, $iReturn = -1
    If $iValue >1 or $iValue<0 Then $iSetting=-1
    Switch $iSetting
        Case 0
            $sCommand = ";EnableFirewall"
        Case 1
            $sCommand = ";DefaultInboundAction"
        Case 2
            $sCommand = ";DefaultOutboundAction"
        Case Else
            ConsoleWrite("SetGroupPolicy_Firewall Invalid Command " & $iSetting)
            $iError = 1
    EndSwitch

    If $sProfile <> "" Then $sProfile = "\" & StringMid(StringUpper($sProfile), 1, 1) & StringMid(StringLower($sProfile), 2, -1)
    $sSearch = $sProfile & "Profile" & ChrW(0) & $sCommand

    FileSetAttrib($sPath, "-RH") ;Remove readonly and hidden attributes these mess up windows policy editor
    FileCopy($sPath, $sPath & ".Bak", 0) ;Make a backup of policy file if one doesn't exist
    $hFile = FileOpen($sPath, 0 + 16 + 32) ;read, Binary,UTF16_LE

    If $hFile = -1 Then
        ConsoleWrite("Error Opening" & @CRLF & $sPath & "> Exists=" & _WinAPI_FileExists($sPath))
        $iError = 2
    Else
        FileSetPos($hFile, 0, 2) ;EoF
        $iFileEnd = FileGetPos($hFile)
        FileSetPos($hFile, 0, 0) ;Beginning

        $sSearch = StringToBinary($sSearch, 2)
        $iLenSearch = BinaryLen($sSearch)
        If $iLenSearch > 32 Then
            $sFile = BinaryToString(FileRead($hFile, -1))

            For $i = 0 To $iFileEnd Step 2

                FileSetPos($hFile, $i, 0) ;Beginning

                If FileRead($hFile, $iLenSearch) = $sSearch Then
                    $iFound += 1
                    FileSetPos($hFile, $i + $iLenSearch + 16, 0)
                    $iReturn = Int(Hex(BinaryMid(StringToBinary($sFile), $i + $iLenSearch + 16, 2)))
                    $sFile = StringMid($sFile, 1, $i + $iLenSearch + 16) & ChrW($iValue) & StringMid($sFile, $i + $iLenSearch + 16 + 2, -1)
                EndIf
            Next

            FileClose($hFile)
            If $iFound > 0 Then
                $hFile = FileOpen($sPath, 2 + 16 + 32) ;Overwrite,Binary,UTF16_LE
                If Not (FileWrite($hFile, $sFile)) Then
                    ConsoleWrite("Unable to write to policy file" & @CRLF & $sPath & @CRLF)
                    $iError = 4
                    $iReturn = -1
                EndIf
                FileClose($hFile)
            Else
                ConsoleWrite("Search String Not Found" & @CRLF)
                $iError = 3
            EndIf

        Else
            ConsoleWrite("Invalid Search String" & @CRLF)
            $iError = 5
        EndIf
        ;FileSetAttrib($sPath, "+H")
    EndIf

    Return SetError($iError, $iFileEnd, $iReturn)
EndFunc   ;==>SetGroupPolicy_Firewall

 

Edited May 25, 2016 by Bilgus
Value Added

[Bilgus]

In hindsight I probably should have just parsed the registry entries into a .pol file, I might do that some other day

I found this which gives information on the PREG file format

https://msdn.microsoft.com/en-us/library/aa374407(v=vs.85).aspx 

 

And... someone else already made an editor around this though this is a lot less code.

 

 

Edited May 25, 2016 by Bilgus
reinventing the wheel