< Blog

How to Create a DCM Item to Detect If the Firewall Is Off

By Joseph Yedid

Recently I turned off a bunch of firewalls in order to correct a problem. Turning off the firewalls was easy, but remembering all of the systems that I did this to was a different story.

If you ever find yourself in a similar situation, create a DCM item in Configuration Manager. It’s a quick way to determine which firewalls are turned off.

To demonstrate this I will create a DCM item in Configuration Manager Current Branch.

First, download the System Center Configuration Manager Vulnerability Assessment Configuration Pack and install it on the site server. Microsoft released these predefined Configuration Items to address the most common missing security updates or misconfigurations. You can get it here.

After the MSI is installed, a cab file will be extracted. Import the cab file in new Configuration Item.

One of the newly imported Configuration Items is called, “Vulnerability Assessment – Windows Firewall Enabled.” We will be using this one down the road.

Once the Vulnerability Assessment Configuration Pack is installed, we need to create a new Configuration Item.

How to Create a DCM Item to Detect If the Firewall Is Off-1

1. Give it a name. Click Next.

How to Create a DCM Item to Detect If the Firewall Is Off-2

2. Select all supported operating systems. Click Next.

How to Create a DCM Item to Detect If the Firewall Is Off-3

3. Click New…

How to Create a DCM Item to Detect If the Firewall Is Off-4

4. Enter a name then click Browse…

How to Create a DCM Item to Detect If the Firewall Is Off-5

5. Navigate the registry to:

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

Select the value EnableFirewall

Click OK.

How to Create a DCM Item to Detect If the Firewall Is Off-6

6. Choose the Compliance Rules tab.

How to Create a DCM Item to Detect If the Firewall Is Off-7

7. Click New.

How to Create a DCM Item to Detect If the Firewall Is Off-8

8. Enter a name.

Rule type is Value.

The setting must comply with the following rule: Equals the following values: 1

Noncompliance severity for reports is Critical.

Click OK.

How to Create a DCM Item to Detect If the Firewall Is Off-9

9. Click OK.

How to Create a DCM Item to Detect If the Firewall Is Off-10

10. Click Next.

How to Create a DCM Item to Detect If the Firewall Is Off-11

11. Click Next.

How to Create a DCM Item to Detect If the Firewall Is Off-12

12. Click Next.

How to Create a DCM Item to Detect If the Firewall Is Off-13

13. Click Close.

Now we need to create the Configuration Baseline.

How to Create a DCM Item to Detect If the Firewall Is Off-14

14. Give it a name. Click Add and then select Configuration Items.

How to Create a DCM Item to Detect If the Firewall Is Off-15

15. Add the two Configuration Items previously created. Click OK.

How to Create a DCM Item to Detect If the Firewall Is Off-16

16. Click OK.

Now that the baseline is created, we can deploy it to client systems.

Select the new baseline and click Deploy from the ribbon.

How to Create a DCM Item to Detect If the Firewall Is Off-17

17. Select your collection to deploy to.

Set a simple schedule for 1 Days. Click OK.

After the evaluation is run on a system, you can check the built-in SSRS compliance reports to see which system still needs to be addressed.

How to Create a DCM Item to Detect If the Firewall Is Off-18