共用方式為


Automating Windows Firewall Settings with C#

Hi Vamsy here. I am a Developer in Information Security Tools Team. I have done some work on automating Windows Firewall settings using C# and wanted to share what I learnt.

In this post, I am going to demonstrate how to programmatically access the following features of Windows Firewall using C#. I have divided the post into following 6 steps:

  • Checking the status of Windows Firewall.
  • Enabling/disabling Windows Firewall.
  • Obtain the list of authorized ports.
  • Obtain the list of authorized applications.
  • Add/Remove an application to the list of authorized applications.
  • Add/Remove a port to the list of authorized ports.

To know more about Windows Firewall, refer to this link on msdn.

Checking for Windows Firewall

We create the object of HNetCfg.FwMgr COM object. A complete reference of Windows Firewall Scripting can be obtained here Windows Firewall Tools and Scripting . We then use the properties of this object to find out the status of firewall. The c# code is as follows

   1: Type NetFwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false); 
   2: INetFwMgr mgr = (INetFwMgr)Activator.CreateInstance(NetFwMgrType);
  3: bool Firewallenabled = mgr.LocalPolicy.CurrentProfile.FirewallEnabled;

Enabling/Disabling Windows Firewall 

We can change the status of the Windows Firewall by setting the FirewallEnabled property of the CurrentProfile object. The c# code is as follows

   1: // depending whether you want to enable it/ disable it.
  2: mgr.LocalPolicy.CurrentProfile.FirewallEnabled = true/false;

Obtain the list of authorized ports

We can get the list of globally open ports from the GloballyOpenPorts property of CurrentProfile object. The output is an object of the type INetFwOpenPorts. We obtain the enumerator for this collection and loop to get all the individual ports. The following is the c# code

   1: INetFwOpenPorts ports; 
  2: INetFwOpenPort port;
  3: 
  4: Type NetFwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false); 
  5: INetFwMgr mgr = (INetFwMgr)Activator.CreateInstance(NetFwMgrType); 
  6: ports = (INetFwOpenPorts)mgr.LocalPolicy.CurrentProfile.GloballyOpenPorts; 
  7: System.Collections.IEnumerator enumerate = ports.GetEnumerator();
  8: while (enumerate.MoveNext()) 
  9:     { 
 10:         port = (INetFwOpenPort)enumerate.Current;
 11: 
 12:     }
 13: 
 14: 

Obtain the list of authorized applications

We can get the list of applications authorized by the firewall from the AuthorizedApplications property of CurrentProfile object. The output is an object of the type INetFwAuthorizedApplications. We obtain the enumerator for this collection and loop to get all all the individual applications. The following is the c# code

   1: INetFwAuthorizedApplications applications; 
  2: INetFwAuthorizedApplication application;
  3: 
  4: Type NetFwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false); 
  5: INetFwMgr mgr = (INetFwMgr)Activator.CreateInstance(NetFwMgrType); 
  6: applications = (INetFwAuthorizedApplications)mgr.LocalPolicy.CurrentProfile.AuthorizedApplications;
  7: 
  8: while (enumerate.MoveNext()) 
  9:      { 
 10:         application = (INetFwAuthorizedApplication)enumerate.Current;
 11: 
 12:      }
 13: 
 14: 

Add a port to globally open ports

A port can be added to the list of globally open ports by first defining an object of the type INetFwOpenPort and then add it to the GloballyOpenPorts collection of the CurrentProfileObject. The c# code is given below

   1: INetFwOpenPorts ports; 
  2: INetFwOpenPort port; 
  3: port.Port = 8080; /* port no */
  4: port.Name = “Application1”; /*name of the application using the port */
  5: port.Enabled =  true; /* enable the port */
  6: /*other properties like Protocol, IP Version can also be set accordingly
  7: now add this to the GloballyOpenPorts collection */
  8: 
  9: Type NetFwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false); 
 10: INetFwMgr mgr = (INetFwMgr)Activator.CreateInstance(NetFwMgrType); 
 11: ports = (INetFwOpenPorts)mgr.LocalPolicy.CurrentProfile.GloballyOpenPorts; 
 12: 
 13: ports.Add(port);
 14: 
 15: 

Add an application the list of authorized applications

Now we will finally see how to add an application to the list of authorized applications. The method is same as above. Define an application and add it to the AuthorizedApplications collection. The c# code is as follows

   1: INetFwAuthorizedApplications applications; 
  2: INetFwAuthorizedApplication application;
  3: 
  4: application.Name = “Internet Explorer”;/*set the name of the application */
  5: 
  6: application.ProcessImageFileName = "C:\\Program Files\\Internet Explorer\\iexplore.exe" /* set this property to the location of the executable file of the application*/
  7: application.Enabled =  true; //enable it
  8: 
  9: /*now add this application to AuthorizedApplications collection */
 10: 
 11: Type NetFwMgrType = Type.GetTypeFromProgID("HNetCfg.FwMgr", false); 
 12:                 INetFwMgr mgr = (INetFwMgr)Activator.CreateInstance(NetFwMgrType); 
 13:                 applications = (INetFwAuthorizedApplications)mgr.LocalPolicy.CurrentProfile.AuthorizedApplications;
 14: applications.Add(application);
 15: 
 16: 

Note: In Visual Studio, you need to add NetFwTypeLib COM reference to your project and also include NetFwTypeLib in your project ( using NetFwTypeLib;)

It is actually interesting to know how many things one can achieve by Windows Firewall Scripting. More features like disabling an application or port can be done on the same lines as above.

I will come back with a small tool called Windows Firewall Checker. This tool can be used by administrators to ensure that firewall is enabled on the user’s workstation.

Hope that was useful. As usual all comments are appreciated.

Comments

  • Anonymous
    August 21, 2009
    It's great to see an article dealing with this subject, and I agree that the Firewall provides a rich set of API's. However, it appears that you are using the XP SP2 COM API's. This is fine for XP (and they will work on Vista/Win7) but it's greatly recommended that you use the newer COM API (INetFwPolicy2) for Vista/Win7: http://msdn.microsoft.com/en-us/library/aa366418%28VS.85%29.aspx These API's have full support for the Vista/Win7 network profiles that were introduced in Vista (Public, Private, Domain).