How do I turn off Windows 7 Firewall via script or through automation?

windows-7 scripting windows-firewall windows-registry vbscript

17,868

Solution 1

Found the problem. MDT was applying a Local Group Policy at the end of it's task sequence after installing my image, which was disabling access to any changes to the local security policy, even by administrators (via command prompt commands, registry, etc...). This is odd, since it's a default policy that comes with MDT. Regardless, removing this task sequence allows me to turn off the firewall using netseh:

netsh advfirewall set allprofiles state off

As a note; I agree with everyone that you shouldn't disable your firewall service and you shouldn't turn off your firewall.

Solution 2

I'd like to preface this by saying that I strongly urge anyone that disables their Windows firewall to take the time to understand how it works and how to manipulate it via GPO instead of outright turning it off. There's no reason to turn off a host-based firewall. Microsoft makes excellent tools to manage firewall rules, you should use them.

This TechNet article outlines the proper way to disable the Windows Firewall. Don't turn off the service like others have told you, that will put your server into an unsupported configuration and cause flakiness in various scenarios that are hard to troubleshoot.

From the TechNet article, the netsh syntax is

netsh advfirewall set profiles state off

where valid values for profiles are: AllProfiles, CurrentProfile, DomainProfile, PrivateProfile, or PublicProfile.

It appears that you've already tried this exact command and it's not working. You've also pushed the registry keys that this command manipulates. Based on the fact that it used to work and now doesn't, and that these machines are not domain-joined at the time that you are doing this, there is only one conclusion:

There is something in your image that is overriding this. End of story. Since we don't have your image to look at, there's really no way we can give you a specific fix, other than "you're doing it right and if it doesn't work, something in your image is misconfigured"

Honestly, if you're having to run secedit /configure /db reset /cfg securityprofile on your images along with all of this other stuff, you might just be better off making a new image with everything the way you want it.

Solution 3

Errr, tidy up your GPOs, and disable it there. Or, at the very least, create a new GPO at the top of the stack (highest precedence) and disable the firewall. Then go back and tidy your other GPOs later. Local Security policy gets overridden by GPOs, and the first area of the registry you're writing to is specifically for GPO processing.

Short answer... Group Policy. Long answer... Group Policy. (sorry!)

17,868

CIA

stackexchange php, asp.net, mvc3, jquery, mysql, mssql serverfault windows xp/vista/7/8 windows server 2000/SBS/2003/2008/2012 linux (debian, ubuntu, centos) vmware esxi 3/4.1/5/5.1 san, nas, iscsi, nfs, smb, ftp, ssh

Updated on September 18, 2022

Comments

CIA over 1 year
This is in regards to working on machines before joining the machine to a domain and although I would love to rely on GPO, that isn't an option at this time.

In the environment I'm working in, the firewall policy is to use a 3rd party Firewall app from an Total Endpoint Solution, so I have to disable the default Windows Firewall top prevent conflicts. I do this using a script that I run at the end of an imagine process or manually on systems I haven't reimaged. For a while, I was able to manage this using:
```
netsh advfirewall set allprofiles state off
```
However, that stopped working for some reason. So, I found I needed to clear the local security policy (manually):
```
Local Security Policy MSC > Windows Firewall with Advanced Security
Right-Click Windows Firewall with Advanced Security - Local Group Policy Object
Clear Policy
```
This was the script I used to avoid doing it manually:
```
secedit /configure /db reset /cfg securityprofile
```
A combination of both steps was working for about a month, then, for no apparent reason, it stopped working.

I began testing a registry hack to achieve what I needed, and it is giving me mixed results. I have two sets keys with profiles I need to change; for Local Profiles:
```
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]
"EnableFirewall"=dword:00000000
```
For Domain Profiles:
```
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000
```
The problem I'm having is that the Local Profile keeps regenerating the original settings with the firewall on. I've tried:
- a) Apply Both Registry Hacks
- b) Reboot
- Result on newly imaged machine) no luck
- Result on old machine used for testing) good to go
- a) Apply Local Policy Registry Hack
- b) Reboot
- Result on newly imaged machine) no luck
- Result on old machine used for testing) good to go
- a) use secedit to clear Local Security Policy
- b) Apply Both Registry Hacks
- c) Reboot
- Result on newly imaged machine) no luck
- Result on old machine used for testing) good to go
- a) use secedit to clear Local Security Policy
- b) Apply Local Policy Registry Hacks
- c) Reboot
- Result on newly imaged machine) no luck
- Result on old machine used for testing) good to go
My goal is to disable the Windows Firewall via script/automation. Any thoughts?

Note: this is prior to joining the machines to the domain. If I manually clear the Local Security Policy from the MSC, then the registry hacks will work. netsh still won't work and I don't want to have to manually clear the policy for every imaged machine.
- JMeterX over 10 years
  
  Why not disable it with a GPO?
- Zoredache over 10 years
  
  netsh advfirewall set allprofiles state off ... However, that stopped working for some reason. - Then figure out why? What do you mean that it doesn't work. What errors do you get?
- CIA over 10 years
  
  @JMeterX The GPO has a ton of policies that are criss-crossing. It's a project I haven't gotten around to clearing up, because it's a large scale project. The GPO policy in place that's suppose to disable the firewall isn't working either.
- CIA over 10 years
  
  @Zoredache Yes. Let me just divine this answer? I don't get any errors. I run the command and I get a response: OK.
- JMeterX over 10 years
  
  @CIA The first thing you should do is figure out why the GPO isn't working. It sounds like you have bigger issues here. But I guess you can try using powershell something like $service = "MpsSvc" set-service $service -StartupType disabled
- MDMarra over 10 years
  
  @JMeterX Don't ever disable the Windows Firewall service on modern versions of Windows. It causes all kinds of crazy stuff to happen. You should leave the service running but turn the firewall off for the various profiles (if you must turn it off, that's a whole different ball of wax)
- Zoredache over 10 years
  
  @CIA, I am not suggesting you divine the answer. I am suggesting you focus on that single problem and spend time actually researching that instead many different things. The GPO policy in place that's suppose to disable the firewall isn't working either. It kinda sounds like you have a huge amount of technical debt you have chosen not to pay down. It might be time to start paying some of that down. Without knowing what is going on, you could have some policy that re-enables the firewall, and nothing you do will shut it off, since you have a policy that will re-enable it.
- CIA over 10 years
  
  @JMeterX Thanks for the suggestion, but I don't want to disable the service, just turn off the firewall. I guess I should re-word my question.
- CIA over 10 years
  
  @MDMarra Yes. This is what I am looking for. Any idea on how to achieve this goal?
- CIA over 10 years
  
  @MDMarra It won't work on newly imaged computers with fresh installs of Windows 7. It used to require that I manually clear the Local Security Policy first, and that let it work, but then it stopped working all together. No error messages. The netsh command responds with "OK", but it doesn't turn off the firewall.
- MDMarra over 10 years
  
  Is that newly imaged computer joined to the domain? Have you looked at the resultant set of policy? Are you an actual systems admin, or are you an end user trying to skirt around policy?
- JMeterX over 10 years
  
  @CIA I would not turn it off this way (my earlier suggestion), but you seem to be willing to try anything. The bottom line is this is all coming back to your GPOs being mucked up. If you fix those you can probably fix this, and many other issues that I would imagine are going on in your environment. Slapping a band aid on it and calling it a day doesn't do anything. It's like turning off IPv6 because you get errors - instead of trying to fix it you just turn it off.
- CIA over 10 years
  
  No. This is prior to joining the newly imaged computer to the domain. I'm logged in as the local admin when I'm attempting to do this. The only place I can think of that would affect this would be the image itself, but I'm using MDT and performing sysprep, so all the policies should be the default, as if it was a fresh install, but when I go to turn off the Windows Firewall settings manually, all those options are disabled, leaving the firewall on (which means I have to manually clear the Local Security Policy if I want to make any firewall changes).
- CIA over 10 years
  
  @JMeterX thanks for the suggestion, but as I stated, the GPO is a project for another time. Also, in case you didn't read the update, this is a problem I'm dealing with before the computer gets joined to the domain.
- MDMarra over 10 years
  
  There must be something crazy in your image, then.
CIA over 10 years

Thanks for the suggestion, but that project won't happen for a while. I know the benefits of cleaning up the GPO, but that's a different project for a different time.
voretaq7 over 10 years

@CIA The create a new GPO at the top of the stack (highest precedence) and disable the firewall bit of the above seems promising then -- the rest of your GPOs might be a disaster, but this would still do what you want, no?
MDMarra over 10 years

Actually, if you link it at the domain level and have a conflicting policy linked to an OU, the OU policy will "win". If you make this a domain-level policy, you'll want to set "enforced" on it, so that its settings will not be overridden.
Simon Catlin over 10 years

Yes indeed, the good-ole 'LSDO'. Essentially, creating a new, potentially temporary, policy linked to the root OU of the server objects, with a link order of 1 cause it to take effect. The remaining GPOs can be tidied at leisure later on.
Admin over 8 years

What group policy was it applying? I'm seeing the same issues here.
CIA over 8 years

I'm not at the same company where I had to resolve this issue anymore. If I recall, the policy was identified in the task sequence, so, if you opened up your MDT install script, you can step through and identify it that way.