Windows Firewall

3 views
Skip to first unread message

Mike G

unread,
Sep 21, 2018, 3:29:20 PM9/21/18
to hou...@googlegroups.com
Hello All,

Has anyone seen anything that will allow me to use ColdFusion to programatically add IP addresses to Windows firewall on the server?

I manage this now with a script and a db and ban offenders using CF, but I would prefer to not have to check every IP against a DB and instead just put them directly into Windows Firewall into a Black Hole group I created for the aggressive offenders.

TIA,

M

Seth Bienek

unread,
Sep 21, 2018, 5:41:56 PM9/21/18
to hou...@googlegroups.com

The short answer is yes, of course you can.  But should you?

 

Consider the following:

  • How many IPs can the Windows Firewall’s storage mechanism (registry?) hold before performance degradation sets in?
  • If you are going to give the ColdFusion service account elevated access to the OS, could this be a security concern?
  • Is there a more pragmatic solution already available (i.e. web application firewall ala f5, cloudflare, nginx et al)?

 

Just some thoughts I wanted to throw out there.  If you still want to add rules to the Windows firewall programmatically you can use CFEXECUTE to call a batch file (look into “netsh advfirewall firewall add rule”) or call a PowerShell script created for your purposes.

 

Take Care,


Seth

--
--
You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list.
To unsubscribe, send email to houcfug-u...@googlegroups.com
For more options, visit http://groups.google.com/group/houcfug?hl=en

---
You received this message because you are subscribed to the Google Groups "Houston ColdFusion Users' Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to houcfug+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.

charlie arehart

unread,
Sep 21, 2018, 5:48:50 PM9/21/18
to hou...@googlegroups.com

Perhaps someone will offer that, but there are other thoughts to consider (including whether you should be doing that job yourself at all).

So first, how about if instead of blocking them in the Windows firewall, you blocked them in IIS? You can do that if you have added the “ip and domain restrictions” feature to IIS (using Server Manager), where they you can block by IP at the site or server level (within iis). And you can add ips to that using a command line tool that lets you do about any iis config changes, appcmd.exe. And then you could call THAT from cfexecute.


Of course, blocking IPs like this (in IIS or the firewall, or elsewise) is a bit like playing whack-a-mole. You shut down one and the same crap requests start coming from another. That gets frustrating.

You can also block by user agent, instead (if they always show some common one that you’d always want to block), and you can do that in IIS as well by adding a “rule” in the “request filters” feature (also optionally enabled using Server Manager), that blocks on the “header” named “user-agent” with the value of the user agent string.

Honestly, even that gets old after a while, and you may want to look instead to outside tools or services that handle all this for you. There are ones that work at the web server level, others as a hardware appliance, still others as services (where you route your traffic through them to “launder” such bad traffic). Such tools and services do MUCH more than just block by bad IPs (and the better ones do it so well they’re worth it, while lesser ones may suffer from false positives or be a hassle to configure).

Anyway, I keep a list of such tools and services (at that variety of levels here: cf411.com/security

/charlie

 

From: hou...@googlegroups.com <hou...@googlegroups.com> On Behalf Of Mike G
Sent: Friday, September 21, 2018 02:29 PM
To: hou...@googlegroups.com
Subject: [houcfug] Windows Firewall

 

Hello All,

--

Mike G

unread,
Sep 25, 2018, 2:23:43 PM9/25/18
to hou...@googlegroups.com
Both of you are right, Seth and Charlie, not something I should be doing.  Guess I'll push on the folks that manage Sophos for my server to configure the WAF a bit more strictly.

Thanks for setting me straight.

M

--

charlie arehart

unread,
Sep 27, 2018, 3:40:41 PM9/27/18
to hou...@googlegroups.com

Glad to help. I do understand that different people have different resources to turn to, so I try to offer a range of options for folks to consider. :-) Hope you can solve it via Sophos.

/charlie

Reply all
Reply to author
Forward
0 new messages