Endpoint Insights
Compliance Setting- Detect if Firewall is Off
Garth JonesTopics: Endpoint Insights
IT professionals need to troubleshoot all sorts of issues. Oftentimes, while I’m troubleshooting a problem, I’ll turn off the local firewall to ensure that it isn’t causing the problem. If I can’t remember if I’ve turned it back on, how do I detect if the firewall is off? System Center Configuration Manager (SCCM) Compliance Setting to the rescue!
Let’s face it. Turning the firewall off is an easy trouble-shooting measure. If the problem goes away after it’s turned off then you know you must open the network ports. If the problem, however, doesn’t go away, I’ve gotten into the habit of keeping the firewall disabled until the problem is completely solved. I do this partly to ensure that the firewall isn’t causing other problems. At the end of the day, unfortunately, I sometimes forget to turn the firewall back on again. Using SCCM Compliance Setting assures me that all firewalls are enabled.
SCCM Compliance Setting
SCCM Compliance Setting is the feature/node name for Configuration Item (CI)/Configuration Baseline (CB). You can use CI/CB to detect settings, and in SCCM Current Branch you can even remediate settings.
If you ever find yourself in a similar situation to me, simply create a Compliance Setting. It’s a quick way to determine which firewalls are turned off. If you like, you can also enable them as part of the CI or, in older versions of SCCM, you can enable the firewalls by using a deployment.
How to Detect If the Firewall Is Off
In this post I will show you how to create a CI in SCCM Current Branch in order to detect if the firewall is off.
In the above screenshot, you can see three firewall policies. One firewall is enabled and two are not.
How can you determine if the firewall is disabled for the Domain profile? You need to look in the registry. The firewall policies are stored under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
After locating the policies, review the registry keys. All three policy nodes (purple arrows) are listed under the FirewallPolicy registry key.
Domain Networks = DomainProfile registry node.
Private Networks = StandardProfile registry node.
Guest or Public Networks = PublicProfile registry node.
Additionally, you can see that the DomainProfile registry node is expanded and there are two registry keys listed. The two registry keys are DisableNotifications and EnableFirewall. Based on the registry key name it is clear that EnableFirewall (red arrows) shows the firewall state using a Boolean value.
This makes detecting whether or not the firewall is off easy. All I need to do is check the registry key value to see if the value is True or False (1 or 0).
Create a New Configuration Item
Start by opening the SCCM console, select the Assets and Compliance node and then expand Overview | Compliance Settings | Configuration Items. Click on the Create Configuration Item button.
Give the Configuration Item a name. Click Next.
Select all supported operating systems. Click Next.
Click New…
Enter a name and then click Browse…
Navigate the registry to:
HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Select the value EnableFirewall.
Select the checkbox for This registry value must satisfy the following rule if present:
In the text box, enter the number 1.
Click OK.
Choose the Compliance Rules tab.
Select EnableFirewall Equals 1 and then click on Edit…
Set Noncompliance severity for reports to Critical. Click OK. Notice that I’m NOT remediating the registry key. Why? There will be times when I want the firewall disabled for longer periods of time and I don’t want it enabled without my knowledge.
Click OK.
Click Next.
Click Next.
Click Close.
Next, I’ll create the Configuration Baseline.
Create the Configuration Baseline
Start by opening the SCCM console. Select the Assets and Compliance node, and then expand Overview | Compliance Settings | Configuration Baselines. Click on the Create Configuration Baseline button.
Give the Configuration Baseline a name. Click Add and then select Configuration Items.
Add the Configuration Item that was previously created. Click OK.
Click OK.
Now that the baseline is created, it can be deployed to client systems.
Deploying the Configuration Baseline
In the SCCM console, select the Assets and Compliance node. Next, expand Overview | Compliance Settings | Configuration Baselines. Select the newly created baseline and then click on Deploy from the ribbon.
Select the collection. I would recommend deploying this baseline to the All Desktop and Server Clients collection.
Set a simple schedule for 1 Days. Click OK.
Now that the baseline is deployed, you can start reporting on the results.
Reporting on Firewall Status
After the baseline is evaluated on a system, you can check the status of the baseline by using the built-in SSRS compliance reports.
The compliance reports can be found within the Compliance and Settings Management reporting category.
Above is the report, Compliance history of a configuration baseline. Here I can see that I have a mix of compliant and non-compliant computers.
If you have any questions about how to create a compliance setting in order to detect if the firewall is off, please feel free to contact me @GarthMJ.
