Creating port policies in Windows Server 2008 with Netsh

Implementing port allow and deny rules in a scripted fashion is a favorite pastime of many administrators. Using the Netsh tool allows a standard configuration to be run against a Windows Server system to configure the port rules as required.

In April of this year, I wrote about configuring port polices in Windows Server 2008 (WS2K8) within the Windows Firewall with Advanced Security snap-in (WF.msc). While adoption of Windows Firewall is lukewarm within enterprise networks, a more traditional approach to rolling out port rules on a Windows host would be to use the Netsh tool. The Netsh tool is among the more powerful network configuration tools for the Windows series and offers a way to implement port rules for server systems.

There are two basic concepts about Netsh that should be understood before we jump into an Netsh task. The first is that Netsh functions in one of two modes -- online and offline. This means that a configuration can be implemented immediately (online) or configured in a staged fashion and implemented as a commit operation (offline) when ready. The other is that Netsh is divided into many contexts, and the advanced firewall configuration is one of the fifteen contexts available in WS2K8. As with any platform, the first step is to identify the type of traffic and the port flow that we wish to script with Netsh. For this example, this traffic pattern will be prohibited with a Netsh port rule:

Type: TCP

Port: 5900

Name: NoVNC

Direction: Inbound

Rule: Deny

This rule has enough information to make a port rule on the WS2K8 system. Within netsh, this rule would be entered as:

netsh advfirewall firewall add rule name="NoVNC" protocol=TCP dir=in localport=5900 action=block

This can be scripted out multiple times, with one line for each port if you wanted to block 5901, 5902, etc. in the same fashion. As long as the rule name "NoVNC" remains the same, the port rules will populate the existing rule. To enter the Netsh tool, type "netsh" then "advfirewall firewall" to enter the subcontext to create rules such as this. The following command will show the format for creating a rule:

add rule /?

Once a port allow or disallow rule is created, you can view the port rules in the Windows Firewall snap-in. Figure A shows the NoVNC rule created earlier. Figure A

Using netsh to create firewall rules is helpful in a situation where the Windows Firewall state is on and all connections are allowed, bypassing the Windows default configuration. At that point, implementing a customizable series of Netsh scripts can configure the port rules as required in a scriptable fashion.