Author Posts

May 9, 2016 at 5:40 pm

How do I use DSC (either cfirewall or xnetworking) to disable the private, public and domain profiles of the Windows firewall? I'm using Windows server 2012 and WMF 4.

I want to totally disable the Windows firewall. Must I modify an entry in the registry?

I tried using cfirewall and xnetworking (downloading files from the Internet). Here is an example of what I tried after I manually disabled to the windows firewall (to try to enable it to prove it can work):

configuration Add_FirewallRuleToExistingGroup
{ param
( [string[]]$NodeName = 'localhost' )
Import-DSCResource -ModuleName xNetworking
Node $NodeName
{ xFirewall Firewall
{ Name = "MyFirewallRule"
DisplayName = "My Firewall Rule"
DisplayGroup = "My Firewall Rule Group"
Access = "Allow"
State = "Enabled"
Profile = "Private" }
}}
Add_FirewallRuleToExistingGroup -OutputPath .

I had no errors when I ran the script above. I applied the configuration with start-dscconfiguration Add_FirewallRuleToExistingGroup -Wait -Verbose. There were no errors. But the firewall remained disabled. Rebooting didn't help.

I manually enabled the firewall. I then changed the above configuration script to try to disable the firewall. There were no errors when I compiled it. There were no errors when I tried to apply the .mof file. But the firewall remained enabled. How do I use DSC (not plain PowerShell scripts) to totally disable the Windows Firewall?

May 10, 2016 at 2:02 am

You cannot use the xFirewall resource for disabling the firewall. Here is a script resource to do the job.

Script DisableFirewall 
{
    GetScript = {
        @{
            GetScript = $GetScript
            SetScript = $SetScript
            TestScript = $TestScript
            Result = -not('True' -in (Get-NetFirewallProfile -All).Enabled)
        }
    }

    SetScript = {
        Set-NetFirewallProfile -All -Enabled False -Verbose
    }

    TestScript = {
        $Status = -not('True' -in (Get-NetFirewallProfile -All).Enabled)
        $Status -eq $True
    }
}

May 11, 2016 at 6:49 pm

Glad it did. I usually find it easier to write resource scripts if the code you want to run is just a one liner. Anything more complicated gets a proper resource.

May 13, 2016 at 3:07 am

I wrote a resource for that. I was surprised that the xFirewall resource didn't allow it.

https://github.com/theonlyway/Powershell-DSC-Resources