Enforcing firewall ON for WAN connections

[Al Blake]

Like 99% of the rest of the world we got hit by nachi. Why? Becuase we have
staff using laptops off-site connecting to the Internet without the XP
firewall on. These staff are admins for their own machines. Now they dont do
t on purpose4 but hwoever many times we tell them someone always
forgets......so we want to ensure the firewall box is ON for every non LAN
connection on a machine (why isnt that the b&*(&&*(& default?)
So We came up with this (alright we copied it) script:
Main( )

function Main()
DIM objShare
DIM objEveryColl

set objShare = Wscript.CreateObject("HNetCfg.HNetShare.1")
if(IsObject(objShare) = FALSE ) then
exit function
end if

set objEveryColl = objShare.EnumEveryConnection

if (IsObject(objEveryColl) = TRUE) then

DIM objNetConn

for each objNetConn in objEveryColl
DIM objShareCfg
set objShareCfg =
objShare.INetSharingConfigurationForINetConnection(objNetConn)
if (IsObject(objShareCfg) = TRUE) then
DIM objNCProps
set objNCProps = objShare.NetConnectionProps(objNetConn)
if (IsObject(objNCProps) = TRUE) then

If objNCProps.MediaType=4 Then
objSharecfg.EnableInternetFirewall
End If
end if

end if
next
end if

end Function

Problem is when we run this script on a user machine we get a popup message
indicating a script is trying to change the connection properties which
kinda defeats the whole purpose. Is there any way to prevent this popup?
Is there a better way to ensure that the FW is on for dialup connections?
Al Blake, Australia

[Torgeir Bakken (MVP)]

Al Blake wrote:

> (snip)

>
> Problem is when we run this script on a user machine we get a popup message
> indicating a script is trying to change the connection properties which
> kinda defeats the whole purpose. Is there any way to prevent this popup?
> Is there a better way to ensure that the FW is on for dialup connections?

Hi

It doesn't look like it is possible to suppress this warning box, I would think
that is a security precaution (but it would be smarter to come up with this box
when a script tried to turn the firewall OFF, but not when turning it on ;-)...

I'm afraid you need to instructs the users to accept Yes when that warning box
pops up.

--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter

[Al Blake]

Hmm,
I thought that was the case.
Shame there isnt:
a) A GPO seeting to turn ON firewalling
b) A warning if it gets turned off (as you pointed out)....but not on.

Wonder if anyone from M$ is reading and can comment?
Al Blake, Australia
"Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
news:3F4E2D17...@hydro.com...

[Flemming]

Hi guys struggling with automation of Internet Connection Firewall.

I am sorry that I do not have the golden answers to the problematic
popup, but I have sometimes used a combination of the WScript.Shell
object's AppActivate and Sendkeys methods. This is pretty nasty
though, since the user will be able to obstruct it.

I was wondering weather anyone have a solution on enabling/disabling
the ICMP features of the ICF via script, or VB/C++/C# programs, thus
avoiding the UI for this. I have not been able to find any info on
this, and "sniffing" around registry didn't give me any clue either.

/Flemming

"Al Blake" <a...@blakes.net> wrote in message news:<#dW2okob...@TK2MSFTNGP12.phx.gbl>...

[Al Blake]

For what its worth here is the best we have been able to manage so far:
(modifed script from MSDN site)

// from netcon.idl
NCCF_SHARED = 0x0100; // Connection is shared
NCCF_FIREWALLED = 0x0400; // Connection is firewalled

Main();

function Main()
{
// create net sharing manager
var objShare = new ActiveXObject("HNetCfg.HNetShare.1");

// get enumerator for every connection
var objEveryColl = objShare.EnumEveryConnection;

if (objEveryColl != null) {
varCount = objEveryColl.Count;
if (varCount > 0) {
// convert to built-in Java-style enumerator
var e = new Enumerator (objEveryColl);
e.moveFirst();
for (; !e.atEnd(); e.moveNext()) {

// get an INetConnection interface (not an ole-automation
object)
var objNetConn = e.item();
if (objNetConn != null) {

// find the right connection, by examining the
NetConnectionProps
var objNCProps = objShare.NetConnectionProps
(objNetConn);
if (objNCProps != null) {

// add code here; for example, to enable the firewall on a named
connection:
//WScript.Echo (objNCProps.Name.substr(0,10));
if ((objNCProps.Name.substr(0,10) != "Local Area") &&
(objNCProps.Name.substr(0,6) != "VMware"))
{
var objShareCfg =
objShare.INetSharingConfigurationForINetConnection (objNetConn);
if (objShareCfg != null){
// Check whether fw is already set
if (objNCProps.Characteristics & NCCF_FIREWALLED)
{} else {
WScript.Echo ("WARNING: The firewall is NOT set
on " + objNCProps.Name
+ "\nYou MUST accept the next warning to fix
this");
objShareCfg.EnableInternetFirewall();
}
}
}

}
}
}
}
}
}
Al Blake, Australia

[Beep Beep]

| It doesn't look like it is possible to suppress this warning box, I would
think
| that is a security precaution (but it would be smarter to come up with
this box
| when a script tried to turn the firewall OFF, but not when turning it on
;-)...
|
| I'm afraid you need to instructs the users to accept Yes when that warning
box
| pops up.
|

Perhaps you could include in your script in the proper place to Activate the
dialog box window by title and then use SendKeys to send a {Tab} or {Enter}
to select the "Yes" button yourself.