Comprehensive Strategies for Implementing Effective Firewall Configurations via VBScript, PowerShell, and the Advanced Installer Tool

Comprehensive Strategies for Implementing Effective Firewall Configurations via VBScript, PowerShell, and the Advanced Installer Tool

Thomas Lv8

Comprehensive Strategies for Implementing Effective Firewall Configurations via VBScript, PowerShell, and the Advanced Installer Tool

Disclaimer: This post includes affiliate links

If you click on a link and make a purchase, I may receive a commission at no extra cost to you.

Firewall

To make the environment more secure it’s important to properly define and configure the firewall of your machines. However, there might be times when a specific executable must be added as an exception to the Inbound or Outbound rules of the firewall in order to have access.

In this article, let’s have a look at how you can configure firewall rules via MSI with Advanced Installer, VBScript and Powershell.

Firewall rules with VBScript

Although you can use the HNetCfg.FwAuthorizedApplication object with VBScript to define firewall rules, the easiest method is to call the netsh.exe utility that it’s included in Windows. This command-line utility allows you to modify the network configuration of a certain machine that is currently running. One of the commands available for netsh is advfirewall which allows you to change to the netsh advfirewall context. Jumping further into the context, you can type

netsh advfirewall firewall

Copy

Into a cmd window and this will give you the following options:

? - Displays a list of commands.
add - Adds a new inbound or outbound firewall rule.
delete - Deletes all matching firewall rules.
dump - Displays a configuration script.
help - Displays a list of commands.
set - Sets new values for properties of a existing rule.
show - Displays a specified firewall rule.

Copy

So basically if we want to add a firewall rule we can use:

netsh.exe advfirewall firewall add rule name=FRIENDLYNAME dir=IN/OUT action=ALLOW/DENY program=PATHTOEXE enable=YES/NO profile=domain

Copy

If we want to remove a firewall rule we can use:

netsh.exe advfirewall firewall delete rule name=FRIENDLYNAME

Copy

Now that we are aware of how netsh is working with firewall rules, let’s assume we have a HelloWorld.exe that we want to add to the inbound firewall and we want to allow everything. With VBScript we can produce the following:

Dim WshShell
Dim programPath2, programfiless, programfiles
Set WshShell = CreateObject(“Wscript.Shell”)
programfiless=WshShell.ExpandEnvironmentStrings(“%ProgramFiles(x86)%”)
programfiles=WshShell.ExpandEnvironmentStrings(“%ProgramW6432%”)
ProgramPath2 = programfiless & “\Program Files (x86)\Caphyon\Firewall App\HelloWorld.exe”
WshShell.Run “netsh.exe advfirewall firewall add rule name=HelloWorld dir=in action=allow program=” & chr(34) & ProgramPath2 & chr(34) & “ enable=yes profile=domain “, 0, False

Copy

This VBScript performs the following actions:

  • Dim WshShell: Declares a variable named WshShell to hold a reference to the Windows Script Host Shell object.
  • Dim programPath2, programfiless, programfiles: Declares variables to store the paths of program files.
  • Set WshShell = CreateObject(“Wscript.Shell”): Creates an instance of the Windows Script Host Shell object.
  • programfiless = WshShell.ExpandEnvironmentStrings(“%ProgramFiles(x86)%”): Retrieves the path of the “Program Files (x86)” folder using the %ProgramFiles(x86)% environment variable.
  • programfiles = WshShell.ExpandEnvironmentStrings(“%ProgramW6432%”): Retrieves the path of the “Program Files” folder using the %ProgramW6432% environment variable.
  • ProgramPath2 = programfiless & “\Program Files (x86)\Caphyon\Firewall App\HelloWorld.exe”: Concatenates the program file path with the specific file name to create the full path of the executable file “HelloWorld.exe”.
  • WshShell.Run “netsh.exe advfirewall firewall add rule name=HelloWorld dir=in action=allow program=” & chr(34) & ProgramPath2 & chr(34) & “ enable=yes profile=domain “, 0, False: Runs the netsh.exe command to add a firewall rule named “HelloWorld” with the specified properties. The command allows incoming traffic (dir=in), allows the specified program (program=) with the path of “HelloWorld.exe”, enables the rule (enable=yes), and applies the rule to the domain profile.

Next, open Advanced Installer and navigate to the Custom Actions Page. In here, search for the Launch attached file and select the location of the VBScript. Next, configure the custom action to execute as shown below:

Launch attached file

As a best practice it’s also important to remove the firewall rule during the uninstallation. For that, it means we need another Custom Action and a different VBScrit to remove our rule. The VBScript code is:

Dim WshShell
Set WshShell = CreateObject(“Wscript.Shell”)
WshShell.Run “netsh.exe advfirewall firewall delete rule name=HelloWorld”

Copy

After that, follow the same exact steps as above and configure the custom action as following:

configure the custom action

https://techidaily.com

Firewall rules with PowerShell

While netsh is still available and widely used by the community, starting with Windows 8.1 you can use the buit-in NetSecurity PowerShell module to manage firewall operations.

In general, there are 85 commands available in this module that you can use in Windows 10/11, but we are only interested in two of them. To add a firewall rule you can simply do:

$HelloWorldLocation = ${env:ProgramFiles(x86)} + “\Caphyon\Firewall App\HelloWorld.exe”
New-NetFirewallRule -Program $HelloWorldLocation -Action Allow -Profile Domain -DisplayName “HelloWorld” -Description “Block Firefox browser” -Direction Inbound

Copy

To remove a firewall rule is even simpler as we only use the Remove-NetFirewallRule PowerShell cmdlet:

Remove-NetFirewallRule -DisplayName “HelloWorld”

Copy

Next, open Advanced Installer and navigate to the Custom Actions Page. In here, search for the Run PowerShell script file and select the location of the PowerShell script. Next, configure the custom action to execute as shown below:

Run PowerShell script file

https://techidaily.com

To also add the remove firewall PowerShell script, follow the same steps as above and do the following configurations:

remove firewall PowerShell script

Firewall rules with Advanced Installer

If you don’t like to code, Advanced Installer made it much simpler to add firewall rules. First, navigate to the Windows Firewall page .

Next, click on New Rule. This will open a new window in which you can define the necessary details for your exception:

Windows Firewall page

https://techidaily.com

As you can see, you can easily choose the direction, display name, program path, protocol and other settings directly from the GUI. In our case we wanted to mimic the above usages of netsh and PowerShell and left everything as before in the GUI.

And that is it, Advanced Installer will automatically create the exception during the installation and during the uninstallation it will remove the exception from the firewall, not needing to create two separate actions for it.

remove the exception from the firewall

All you have to do is build and install the MSI package. After the installation, if we check the Inbound rules, our rule is there:

check the Inbound rules

https://techidaily.com

Also read:

  • Title: Comprehensive Strategies for Implementing Effective Firewall Configurations via VBScript, PowerShell, and the Advanced Installer Tool
  • Author: Thomas
  • Created at : 2024-10-07 22:12:57
  • Updated at : 2024-10-10 18:30:06
  • Link: https://win-cloud.techidaily.com/comprehensive-strategies-for-implementing-effective-firewall-configurations-via-vbscript-powershell-and-the-advanced-installer-tool/
  • License: This work is licensed under CC BY-NC-SA 4.0.