none
CMD - AD - enable firewall groups RRS feed

  • Question

  • Hi all,

    As part of a OpenVAS deployment, I'm looking to turn on all the necessary requirements via Active Directory, and I want to configure AD via the command line. Specifically, OpenVAS needs remote SMB and WMI to run its queries.

    Therefore, I want to be able to do the *equivalent* of the following CMD line commands in AD. But I want to configure AD using a script. This is because - for security - we will only be running OpenVAS queries manually, so need to be able to turn on and off firewall rules repeatedly.

    netsh advfirewall firewall set rule group="remote administration" new enable=yes
    netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
    netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

    It's a bit beyond my skill level, if Im honest, so any pointers / code snippets on how to use CMD to tell AD to open/close Firewall rules would be really appreciated?



    • Edited by Euan Ramsay Wednesday, April 3, 2019 5:47 PM
    • Moved by Bill_Stewart Monday, July 29, 2019 8:13 PM Off-topic
    Wednesday, April 3, 2019 5:45 PM

All replies

  • The commands posted work just as well in PowerShell as anywhere else.  Just use those commands in a batch file or I n a PS1 script.


    \_(ツ)_/

    Wednesday, April 3, 2019 6:25 PM
  • Option 1:

    In regards to using AD to open / close  or enable / disable firewalls I would utilize Group Policy and just move in the computer objects to an OU.

    Option 2:

    Utilize remote management of Windows Firewall by enabling / disabling using PSEXEC 

    https://community.spiceworks.com/topic/268999-remotely-disable-windows-firewall

    • Proposed as answer by ComputerScott Wednesday, April 3, 2019 8:05 PM
    Wednesday, April 3, 2019 8:05 PM
  • Cheers Scott.

    Dumb question - could I create such a group policy object and the firewall rule objects using CMD?
    Thursday, April 4, 2019 8:21 AM
  • Yeah, but I need to do the control via AD; these are just the CMD equivalent of what I want to achieve via AD.

    I think the confusing part is that I want to do the AD configuration via CMD.
    Thursday, April 4, 2019 8:23 AM
  • What you are trying to do cannot be done with AD.  It can be done with GP.  There us n need to set and rest this.  Just set once and set the program and IP restrictions to control what can use the rule.

    Post in the security forum to learn how to best use the advanced firewall.


    \_(ツ)_/

    Thursday, April 4, 2019 8:34 AM