Enable Xp Firewall During Unattended Setup?

[aabraham]

Hi guys

I just tried the firewall vb code and it works fine. I cant get the SendKeys VB script to work though. Id rather not use AutoIT if possible.

Can someone tell me what code is requried to complete the firewall vb script so it automatically answers Yes..

Thanks

[slinger]

I use the following method to enable firewall on all of my PC's I build and load Windows XP on. It will be enabled when I run sysprep and the end user first powers on the PC and enters in his user info.

Get the Enable Firewall Utility here

Enabling the Internet Connection Firewall in the master installation

The first procedure explains how to enable the Internet Connection Firewall in your master installation when you start from an OPK configuration set.

To run Oemfwall.exe on the first boot of a master installation, using an OPK configuration set:

1. Open the \Cfgsets folder on the technician computer, where you have installed the OPK tools.

2. Copy Oemfwall.exe into your configuation set:

   - Copy Oemfwall.exe to \Cfgsets\\$OEM$\$$\SYSTEM32

3. Create a \Sysprep directory and a Sysprep.inf answer file:

   - Create the directory \Cfgsets\

   - Name>\$OEM$\$1\SYSPREP

   - Create a Sysprep.inf file in that folder, with at least this minimum syntax: [GUIRUNONCE]   - Command0 = "C:\WINDOWS\SYSTEM32\OEMFWALL.EXE"

4. Start the newly-assembed destination computer using Windows PE, connect to the technician computer over the network, and install the configuration set.

5. Verify Oemfwall.exe is on the destination computer

6. Verify Sysprep.inf entries are present on the destination computer in C:\Sysprep.

7. Run Sysprep -reseal and reboot the destination computer.

8. When the destination computer starts, complete Windows Welcome.

9. Verify Oemfwall.exe runs on first boot.

10. Verify ICF is enabled.

   - On the Start menu, click Run.v

   - In the Open box, type NCPA.CPL. Click OK

   - Right-click your local area network/wireless connection and open the Properties page.

   - Verify that Internet Connection Firewall check box is selected

this is from the Microsoft support forum. It works for me in my unattend build.

[aabraham]

Slinger

Your exe works beautifully.. Do you have a method for adding port changes to the firewall? I need to be able to add port changes remotely and be in control of all firewall settings. Do u have any code for doing this? I know XP SP2 has this in GPO but I need this flexibility today...

Thanks

Anthony

[slinger]

let me look into it when I am at work again tomorrow and post what I find out....

[thomas.g]

Hi. A method for adding port changes to the firewall:

ICSSC_DEFAULT = 0;

ICSTT_NAME      = 0;
ICSTT_IPADDRESS = 1;

// from netcon.idl
//NCM_SHAREDACCESSHOST_LAN = 8;
//NCM_SHAREDACCESSHOST_RAS = 9;

NAT_PROTOCOL_TCP = 6
NAT_PROTOCOL_UDP = 17

// from netcon.idl
NCCF_SHARED     = 0x0100;   // Connection is shared
NCCF_FIREWALLED = 0x0400;   // Connection is firewalled

// WScript.Echo ("Starting....");
Main();
// WScript.Echo ("Ending....");

function Main()
{
    var objShare = new ActiveXObject("HNetCfg.HNetShare.1");
    if (objShare == null)
        WScript.Echo ("failed to create HNetCfg.HNetShare object!");
    else
        DoTheWork (objShare);
    return;
}

function DoTheWork (objShare)
{
    var objEveryConnColl = objShare.EnumEveryConnection;
    if (objEveryConnColl == null) 
        WScript.Echo ("failed to get EveryConnectionCollection!");
    else {
        // enum INetConnections until props are correct
        var objEveryEnum = new Enumerator (objEveryConnColl);
        if (objEveryEnum == null)
            WScript.Echo ("failed to create Enumerator from EveryConnectionCollection");
        else {
            for (objEveryEnum.moveFirst(); !objEveryEnum.atEnd(); objEveryEnum.moveNext()) {

                var objNetConn = objEveryEnum.item();
                if (objNetConn == null)
                    WScript.Echo ("can't get any net connections!");
                else {
                    var objNetConnProps = objShare.NetConnectionProps (objNetConn);
                    if (objNetConnProps == null)
                        WScript.Echo ("can't get net connection props!");
                    else {
                        if ((objNetConnProps.Characteristics & NCCF_SHARED) ||
                            (objNetConnProps.Characteristics & NCCF_FIREWALLED))
                        {
                            // found one!
                            var objShareConf = objShare.INetSharingConfigurationForINetConnection (objNetConn);
                            if (objShareConf == null)
                                WScript.Echo ("can't make INetSharingConfiguration object!");
                            else {
                                AddAsymmetricPortMapping (objShareConf);
                                // WScript.Echo ("added a port mapping named 'Ben's Port Mapping'.");
                            }
                        }
                    }
                }
            }
        }
    }

    // do other work here.
    // when you're done,
    // clean up port mapping
    // WScript.Echo ("cleaning up");
    // if (objShareConf != null)
    //    DeletePortMapping (objShareConf, NAT_PROTOCOL_TCP, 555, 444);
}

function AddAsymmetricPortMapping (objShareConf)
{
    // in case it exists already....
    // DeletePortMapping (objShareConf, NAT_PROTOCOL_TCP, 555, 444);

    var objPortMapping = objShareConf.AddPortMapping (
                                "Manager",
                                NAT_PROTOCOL_TCP,
                                5912,
                                5912,
                                0,
                                "127.0.0.1", ICSTT_NAME);
// or                           "192.168.0.2", ICSTT_IPADDRESS);

    // if (objPortMapping != null) {
    //    WScript.Echo ("just added NAT_PROTOCOL_UDP, 1761, 1761!");
        
        objPortMapping.Enable();
    //    WScript.Echo ("just enabled port mapping!");
    // } else
    //     WScript.Echo ("failed to add asymmetric port mapping!");
}

function DeletePortMapping (objShareConf, typeProtocol, iExternalPort, iInternalPort)
{
    // enum, deleting match, if any
    var objPMColl = objShareConf.EnumPortMappings (ICSSC_DEFAULT);
    if (objPMColl == null)
        WScript.Echo ("can't get 'every' collection!");
    else {
        var varEnumerator = new Enumerator (objPMColl);
        if (varEnumerator != null) {
            for (varEnumerator.moveFirst(); !varEnumerator.atEnd(); varEnumerator.moveNext()) {
                var objPortMapping = varEnumerator.item();
                if (objPortMapping != null) {
                    var objPMProps = objPortMapping.Properties;
                    if (objPMProps != null) {
                        if ((objPMProps.IPProtocol   == typeProtocol ) &&
                            (objPMProps.ExternalPort == iExternalPort) &&
                            (objPMProps.InternalPort == iInternalPort))
                        {
                            objPortMapping.Delete();
                            // or objShareConf.RemovePortMapping (objPortMapping);

                            WScript.Echo ("just deleted " + typeProtocol + ", " + iExternalPort + ", " + iInternalPort + "!")
                        }
                    }
                }
            }
        }
    }
}

You have to change the var objPortMapping settings. In this example:

- Manager (Name of the service)

- NAT_PROTOCOL_TCP (Protocol: TCP or UDP)

- 5912 (Portnumber)

Save as .js

[IcemanND]

Check out the ICFutil at:

http://msdn.microsoft.com/library/default..../icf_enable.asp

- ICFUtil /AddService <enable/disable> <service name> <external port>

<internal port> <name/IP address> <tcp/udp>

[/Q /L [pathname]]

For example: ICFUtil /AddService enable "ftp server" 21 21 localhost tcp

and you can use it to enable the firewall on all connections and view status of the firewall on connections.

[urgan]

Am I missing something here ?

I just added the 3 first lines on winnt.sif, don't really know if the rest is really required, but, it works quite well, and without the use of any utlility.

[Homenet]
InternetConnectionFirewall = Adapter1
ShowTrayIcon = Yes

[NetProtocols]
MS_TCPIP=params.MS_TCPIP

[params.MS_TCPIP]
EnableICMPRedirect = No
EnableSecurity = Yes

[Bastian_W]

Yes... I added the same to my winnt.sif

I found it here

But I don´t found a solution to configure the firewall via the winnt.sif

[IcemanND]

Ifyou are only doing this for one machine type with a known config that would work fine, but if you have multiple adapters/configurations it doesn't always work, but the utils will.

[GreenMachine]

A quick welcome back to Icemannd!

So ... that kid of yours finally letting y'all get some sleep!

[tozaki]

Here is a program that I wrote but microsoft also has an equivelant icfutil.exe

mine is firewall.exe I wrote it in vb.net

but it lets you enable the firewall and add ports and enable them.

Firewall.exe