Windows Vista Firewall with Advanced Security

SFSxOI · Post by **SFSxOI** » Tue Aug 05, 2008 10:54 pm

Needed to deploy some pre-configured firewall rules to 47 Vista installs that used the Windows Firewall with Advanced Security that is only available on Vista. Requirements were that the deployment had to be fast and simple and automated with no user interaction, and self installing. So I came up with a auto run CD that could be put in the drive and a few seconds later the firewall was configured for the special apps to be installed later, or deploy the small app across the network and run it as an update. Below is the basic code i used to do this with, might be of interest to someone...couldn't have done it without srod this morning - thanks srod

Code: Select all

; Windows Firewall with Advanced Security - Add application rule
; SFSxOI - 5 August 2008
; Windows version = Windows Vista only!

;///////////////////////// Special Thanks //////////////////////////////
; Special thanks to srod for helping me out when i had it so screwed up
;///////////////////////////////////////////////////////////////////////

; MSDN references used:
; http://msdn.microsoft.com/en-us/library/aa366418(VS.85).aspx
; http://msdn.microsoft.com/en-us/library/aa366459(VS.85).aspx
; http://msdn.microsoft.com/en-us/library/aa364695(VS.85).aspx

; Notes:
; Interfaces below include the IDispatch methods and are generated With OLECOM Interface generator v0.2 by S.M.
; http://www.purebasic.fr/english/viewtopic.php?t=23370
; Thanks for a great tool S.M.
; rules created in this manner are classed as pre-defined so some items can not be changed
; if you mess something up just delete the rule in the firewall interface and start over

Enumeration ; NET_FW_PROFILE_TYPE2_
  #NET_FW_PROFILE2_DOMAIN=1
  #NET_FW_PROFILE2_PRIVATE=2
  #NET_FW_PROFILE2_PUBLIC=4
  #NET_FW_PROFILE2_ALL=2147483647
EndEnumeration

Enumeration ; NET_FW_ACTION_
  #NET_FW_ACTION_BLOCK=0
  #NET_FW_ACTION_ALLOW=1
  #NET_FW_ACTION_MAX=2
EndEnumeration

Enumeration ; NET_FW_IP_PROTOCOL_
  #NET_FW_IP_PROTOCOL_TCP=6
  #NET_FW_IP_PROTOCOL_UDP=17
  #NET_FW_IP_PROTOCOL_ANY=256
EndEnumeration

Enumeration ; NET_FW_RULE_DIRECTION_
  #NET_FW_RULE_DIR_IN=1
  #NET_FW_RULE_DIR_OUT=2
  #NET_FW_RULE_DIR_MAX=3 ;Used for boundary checking only and is not valid for application programming.
EndEnumeration

CompilerIf Defined(INetFwPolicy2,#PB_Interface) = #False
Interface INetFwPolicy2
  QueryInterface(riid.l,ppvObj.l)
  AddRef()
  Release()
  GetTypeInfoCount(pctinfo.l)
  GetTypeInfo(itinfo.l,lcid.l,pptinfo.l)
  GetIDsOfNames(riid.l,rgszNames.l,cNames.l,lcid.l,rgdispid.l)
  Invoke(dispidMember.l,riid.l,lcid.l,wFlags.l,pdispparams.l,pvarResult.l,pexcepinfo.l,puArgErr.l)
  get_CurrentProfileTypes(dispidMember.l)
  get_FirewallEnabled(profileType.l)
  put_FirewallEnabled(profileType.l,riid.w)
  get_ExcludedInterfaces(profileType.l)
  put_ExcludedInterfaces(profileType.l,riid.p-variant)
  get_BlockAllInboundTraffic(profileType.l)
  put_BlockAllInboundTraffic(profileType.l,riid.w)
  get_NotificationsDisabled(profileType.l)
  put_NotificationsDisabled(profileType.l,riid.w)
  get_UnicastResponsesToMulticastBroadcastDisabled(profileType.l)
  put_UnicastResponsesToMulticastBroadcastDisabled(profileType.l,riid.w)
  get_Rules(profileType.l)
  get_ServiceRestriction(profileType.l)
  EnableRuleGroup(profileTypesBitmask.l,group.p-bstr,enable.w)
  IsRuleGroupEnabled(profileTypesBitmask.l,group.p-bstr)
  RestoreLocalFirewallDefaults()
  get_DefaultInboundAction(profileType.l)
  put_DefaultInboundAction(profileType.l,group.l)
  get_DefaultOutboundAction(profileType.l)
  put_DefaultOutboundAction(profileType.l,group.l)
  get_IsRuleGroupCurrentlyEnabled(group.p-bstr)
  get_LocalPolicyModifyState(group.l)
EndInterface
CompilerEndIf

CompilerIf Defined(INetFwRule,#PB_Interface) = #False
Interface INetFwRule
  QueryInterface(riid.l,ppvObj.l)
  AddRef()
  Release()
  GetTypeInfoCount(pctinfo.l)
  GetTypeInfo(itinfo.l,lcid.l,pptinfo.l)
  GetIDsOfNames(riid.l,rgszNames.l,cNames.l,lcid.l,rgdispid.l)
  Invoke(dispidMember.l,riid.l,lcid.l,wFlags.l,pdispparams.l,pvarResult.l,pexcepinfo.l,puArgErr.l)
  get_Name(dispidMember.l)
  put_Name(dispidMember.p-bstr)
  get_Description(dispidMember.q)
  put_Description(dispidMember.p-bstr)
  get_ApplicationName(dispidMember.l)
  put_ApplicationName(dispidMember.p-bstr)
  get_serviceName(dispidMember.l)
  put_serviceName(dispidMember.p-bstr)
  get_Protocol(dispidMember.l)
  put_Protocol(dispidMember.l)
  get_LocalPorts(dispidMember.l)
  put_LocalPorts(dispidMember.p-bstr)
  get_RemotePorts(dispidMember.l)
  put_RemotePorts(dispidMember.p-bstr)
  get_LocalAddresses(dispidMember.l)
  put_LocalAddresses(dispidMember.p-bstr)
  get_RemoteAddresses(dispidMember.l)
  put_RemoteAddresses(dispidMember.p-bstr)
  get_IcmpTypesAndCodes(dispidMember.l)
  put_IcmpTypesAndCodes(dispidMember.p-bstr)
  get_Direction(dispidMember.q)
  put_Direction(dispidMember.l)
  get_Interfaces(dispidMember.l)
  put_Interfaces(dispidMember.p-variant)
  get_InterfaceTypes(dispidMember.l)
  put_InterfaceTypes(dispidMember.p-bstr)
  get_Enabled(dispidMember.l)
  put_Enabled(dispidMember.w)
  get_Grouping(dispidMember.l)
  put_Grouping(dispidMember.p-bstr)
  get_Profiles(dispidMember.l)
  put_Profiles(dispidMember.l)
  get_EdgeTraversal(dispidMember.l)
  put_EdgeTraversal(dispidMember.w)
  get_Action(dispidMember.l)
  put_Action(dispidMember.l)
EndInterface
CompilerEndIf

CompilerIf Defined(INetFwRules,#PB_Interface) = #False
Interface INetFwRules
  QueryInterface(riid.l,ppvObj.l)
  AddRef()
  Release()
  GetTypeInfoCount(pctinfo.l)
  GetTypeInfo(itinfo.l,lcid.l,pptinfo.l)
  GetIDsOfNames(riid.l,rgszNames.l,cNames.l,lcid.l,rgdispid.l)
  Invoke(dispidMember.l,riid.l,lcid.l,wFlags.l,pdispparams.l,pvarResult.l,pexcepinfo.l,puArgErr.l)
  get_Count(dispidMember.l)
  Add(rule.l)
  Remove(Name.p-bstr)
  Item(Name.p-bstr)
  get__NewEnum(Name.l)
EndInterface
CompilerEndIf


Procedure Vista_AdvFW_Rule(rulename.s, descrip.s, app_path.s, proto.l, loc_port.s, rmt_port.s, enab.l, group.s, block_allow.l, profile_z.l, in_out.s)

CoInitialize_(0) 
  
If CoCreateInstance_(?CLSID_NetFwPolicy2,0,1,?IID_INetFwPolicy2,@fwPolicy2_obj.INetFwPolicy2) = #S_OK 

  fwPolicy2_obj\get_Rules(@RulesObject.INetFwRules) 

  fwPolicy2_obj\get_CurrentProfileTypes(@CurrentProfile) 

  If CoCreateInstance_(?CLSID_NetFwRule,0,1,?IID_INetFwRule,@NewRule_obj.INetFwRule) = #S_OK 
    
    ; rule info
    NewRule_obj\put_Name(rulename) 
    NewRule_obj\put_Description(descrip) 
    NewRule_obj\put_ApplicationName(app_path) 
    NewRule_obj\put_Protocol(proto) 
    NewRule_obj\put_LocalPorts(loc_port)
    
    If in_out = "in" ; in bound side rule
    NewRule_obj\put_Direction(#NET_FW_RULE_DIR_IN) 
      Else
      If in_out = "out" ;; out bound side rule
      NewRule_obj\put_Direction(#NET_FW_RULE_DIR_OUT) 
        Else
        If in_out = ""
        NewRule_obj\put_Direction(#NET_FW_RULE_DIR_IN) ; default
        EndIf 
      EndIf
    EndIf
      
    If rmt_port = ""
    rmt_pt.l = 0
    Else
    NewRule_obj\put_RemotePorts(rmt_port)
    EndIf 
    
    NewRule_obj\put_Enabled(enab) 
    NewRule_obj\put_Grouping(group)
    
    If profle = #Null
    NewRule_obj\put_Profiles(CurrentProfile)
    Else
    NewRule_obj\put_Profiles(profile_z)
    EndIf 
    
    NewRule_obj\put_Action(block_allow) 

    ;Add a new rule 
    RulesObject\add(NewRule_obj) 

    NewRule_obj\Release()
  EndIf 
  fwPolicy2_obj\Release() 
EndIf
RulesObject\Release() 

CoUninitialize_()

EndProcedure

; example information only - use real information for your project
rulename_x.s = "My Application Name"
descrip_x.s = "Allow my application network traffic"
app_path_x.s = "%systemDrive%\\Program Files\\MyApplication.exe" ; or path like "C:\windows\MySuperApp.exe" <your app here
proto_x.l = #NET_FW_IP_PROTOCOL_TCP
loc_port_x.s = "4000,5000"
rmt_port_x.s = "1000,3000"
enab_x.l = #VARIANT_TRUE ; #VARIANT_FALSE to not enable
group_x.s = "MyProject"
block_allow_x.l = #NET_FW_ACTION_MAX
profile_x.l = #NET_FW_PROFILE2_ALL
in_out_x.s = "out" ; rule direction : "in" = inbound side rule, "out" =outbound side rule , if left blank will default to inbound rule

;Note: group.s can also be an indexed group name in a .dll like this "@firewallapi.dll,-23255"

; creating an inbound and outbound rule

Vista_AdvFW_Rule(rulename_x.s, descrip_x.s, app_path_x.s, proto_x.l, loc_port_x.s, rmt_port_x.s, enab_x.l, group_x.s, block_allow_x.l, profile_x.l, in_out_x.s)
Delay(3000)
in_out_x.s = "in"
Vista_AdvFW_Rule(rulename_x.s, descrip_x.s, app_path_x.s, proto_x.l, loc_port_x.s, rmt_port_x.s, enab_x.l, group_x.s, block_allow_x.l, profile_x.l, in_out_x.s)

DataSection 
  CLSID_NetFwPolicy2: 
    Data.l $E2B3C97F 
    Data.w $6AE1,$41AC 
    Data.b $81,$7A,$F6,$F9,$21,$66,$D7,$DD 
  IID_INetFwPolicy2: 
    Data.l $98325047 
    Data.w $C671,$4174 
    Data.b $8D,$81,$DE,$FC,$D3,$F0,$31,$86 
  CLSID_NetFwRule: 
    Data.l $2C5BC43E 
    Data.w $3369, $4C33 
    Data.b $AB,$0C,$BE,$94,$69,$67,$7A,$F4 
  IID_INetFwRule: 
    Data.l $AF230D27 
    Data.w $BABA,$4E42 
    Data.b $AC,$ED,$F5,$24,$F2,$2C,$FC,$E2 
  IID_INetFwRules: 
  Data.l $9C4C6277 
  Data.w $5027, $441E 
  Data.b $AF,$AE,$CA,$1F,$54,$2D,$A0,$09 
EndDataSection

srod · Post by **srod** » Wed Aug 06, 2008 9:54 am

SFSxOI wrote:...... - thanks srod

You're welcome - I'm glad it all worked out.

Tranquil · Post by **Tranquil** » Wed Aug 06, 2008 12:15 pm

Nice one! Thanks for shareing!

PureBasic Forums - English

Windows Vista Firewall with Advanced Security

Windows Vista Firewall with Advanced Security

Re: Windows Vista Firewall with Advanced Security