2

As every Windows system administrator should know in 2019, the "Windows Firewall" service is a critical component of the Windows network stack, and it should never, ever be stopped end disabled; the correct way to let any traffic flow into/from a Windows server is to configure the firewall to let anything through, but without actually stopping the Windows Firewall service; in fact, not only this is not supported by Microsoft, but it can lead to any sort of weird networking issues.

This is even (somewhat) explicitly mentioned in the documentation:

Do not disable Windows Firewall by stopping the service. Instead, use one of the preceding procedures (or an equivalent Group Policy setting) to turn the firewall off. [...] Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.

Now, I have a bunch of servers where the previous sysadmins thought disabling the Windows Firewall service was a good idea, and so they did. I need to reactivate it, but as soon as I do that, I immediately lose network connectivity to the systems (because of course nobody bothered to actually configure Windows Firewall to let things such as RDP in); I also can't manually change the Windows Firewall configuration before restarting the service, either via GUI or via netsh, because both tools complains about the Windows Firewall service being stopped and thus won't let me configure anything.

So far, the only viable approach has been to use the physical (ok, virtual) console of those servers to re-enable the Windows Firewall service and then set appropriate firewall exceptions (or allow all traffic altogether); however, this is infeasible for a large number of systems or if you don't actually have console access.

How can I configure Windows Firewall to accept all (or some) incoming connections when the service is down and before restarting it?

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • 1
    It might be a really dumb idea but, if you know what rule you need to create via netsh after you restart the service, why not script it? Write a script that will start the Windows Firewall service, then the next command would be the netsh that allows everything in (or at least RDP so you can remote in and make the adjustments afterwards). – Aura Oct 01 '19 at 22:58
  • Are these domain joined? Could you set up an Active Directory GPO with RDP allowed firewall rules so that these are what becomes in force when you turn the firewall back on? – Rob Pearson Oct 05 '19 at 15:24
  • That would be the proper solution; unfortunately, I don't have domain admin rights (also, some machines are not domain joined). – Massimo Oct 06 '19 at 15:43
  • 1
    @Aura your solution actually works; if you post it as an answer I'll accept it. – Massimo Oct 09 '19 at 09:47
  • @Massimo Glad to know that it worked! Posted. – Aura Oct 09 '19 at 22:48

3 Answers3

1

It might be a really dumb idea but, if you know what rule you need to create via netsh after you restart the service, why not script it? Write a script that will start the Windows Firewall service, then the next command would be the netsh that allows everything in (or at least RDP so you can remote in and make the adjustments afterwards)

Aura
  • 461
  • 5
  • 12
  • This actually isn't dumb at all; a two-lines script that A) starts the service and B) adds a rule (via `netsh`) to allow RDP access will ensure you can reach the server after doing that. Tested and working. – Massimo Oct 10 '19 at 06:00
0

Another alternative would be to configure the necessary firewall settings in advance using group policy. Even if the server isn't a domain member, you could still use local group policy.

However, I'm not sure whether the settings would kick in immediately in this scenario. They might only take effect on the next group policy refresh. Of course, you could write a script that starts the firewall and then refreshes group policy.

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
-1

Whenever I mess with firewalls remotely, I make sure that I set up a backdoor. I've been bitten by this a few times, so I always do this first.

You can do this by installing hamachi (or your favorite vpn software) on the server and tightvnc (or your favorite remote admin software) on the server and the workstation you're doing all the work from. Hamachi's extremely easy to set up and the free account allows for up to 5 nodes.

Before you make ANY changes to your firewall, make sure that you can access the server through the newly created backdoor.

Once you're done adjusting firewall rules, you can remove hamachi and tightvnc, or whatever you installed before this.

Another option is to see if you can access the services applet of the server in question via another computer in the same network (e.g. connect remotely to the other computer and see if you can do administrative work from it). So if even hamachi is blocked by Windows' firewall, you can stop it via a workstation.

Having said all this, I think that you can set up your firewall's rules with the firewall off and then enable it. But "stuff" happens, so I'd still have an alternative to interact with the server in case something doesn't work as you expected.

Alex

alex_223
  • 70
  • 1
  • 8
  • Installing any other application will not help you, as the firewall will cut access to that, too; also, you can't configure Windows Firewall when the service is stopped (that's che core of the issue here). – Massimo Oct 10 '19 at 06:06
  • 1
    @Massimo, if the Windows Firewall has the default configuration, then outgoing connections will still work. So making the server a VPN client would provide a second line of defence. – Harry Johnston Oct 10 '19 at 18:22