Edit this page Discussion Backlinks Fold/unfold all Rename Page **This is an old revision of the document!** Note: This script is a part of Rigutils toolset. GitHub: ConfigureFirewall.bat Prerequisites Complete Disable UAC step General info Detailed information on firewall setup as well as GUI oriented tutorial could be found here. Instruction STEP 1. Launch command prompt via cmd_rigutils.bat STEP 2. Run ConfigureFirewall.bat 1. Type ConfigureFirewall.bat (case of letters doesn't matter) 2. Press Enter You may start typing Conf and then press the Tab key on your keyboard to speedup command entry. cmd.exe will search for commands in current directory starting with Conf and expand it to it's full name automatically. attachment 3. You don't have to do anything until the script begins to ask you questions (see STEP 3 below). Here is just a step-by-step walkthrough of actions this script performs: 3.1. Saving current state of firewall into a backup file set "BackupDir=%~dp0firewall.bak" if not exist "%BackupDir%" ( echo == Creating backup directory == echo %BackupDir% mkdir "%BackupDir%" || goto :exitWithError ) if not exist "%BackupDir%\firewall.wfw" ( echo == Saving current firewall configuration == echo file: %BackupDir%\firewall.wfw netsh advfirewall export "%BackupDir%\firewall.wfw" || goto :exitWithError ) Output: == Creating backup directory == C:\bin\rigutils\windows_tuning\firewall.bak == Saving current firewall configuration == file: C:\bin\rigutils\windows_tuning\firewall.bak\firewall.wfw Ok. For restoring of your original firewall configuration use the command: netsh advfirewall import C:\bin\rigutils\windows_tuning\firewall.bak\firewall.wfw or the following command if you want to restore default Windows settings: netsh advfirewall reset 3.2. Disabling ALL non BLOCKING inbound rules This nice one-liner powershell script loops through all inbound rules which allow connections and disables them one by one powershell -Command "& { $fw=New-object -comObject HNetCfg.FwPolicy2 ; $fw.rules | where-object { $_.Direction -eq 1 -and $_.Enabled -eq $true -and $_.Action -ne 0 } | ForEach { echo $_.Name; $_.Enabled=0 }; $rc=@($rules).Count; echo ' ' \"$rc firewall rules were disabled\" }" || goto :exitWithError Output: == Disabling ALL PERMISSIVE inbound rules == <A lengthy list of disabled rules goes here> 201 firewall rules were disabled For restoring of your original firewall configuration use the command: netsh advfirewall import C:\bin\rigutils\windows_tuning\firewall.bak\firewall.wfw or the following command if you want to restore default Windows settings: netsh advfirewall reset 3.3. Disabling IPv6 Detailed information on IPv6 enabling/disabling could be found here at support.microsoft.com set "RegPath=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" set "RegValue=255" echo RegPath: %RegPath% echo RegValue: %RegValue% reg.exe ADD %RegPath% /v DisabledComponents /t REG_DWORD /d %RegValue% /f || goto :exitWithError Output: == Disabling IPv6 == RegPath: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters RegValue: 255 The operation completed successfully. 3.4. Activating the restrictive firewall policy Read this nice blog post on working with firewall from CLI. echo == Configuring firewall policy == echo deny ALL INCOMING connections with NO MATCHING rules and allow ALL OUTGOING connections netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound || goto :exitWithError echo To re-enable ALL INCOMING connections by default run the following command: echo netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound Output: == Configuring firewall policy == deny ALL INCOMING connections with NO MATCHING rules and allow ALL OUTGOING connections Ok. To re-enable ALL INCOMING connections by default run the following command: netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound 3.5. Explicitly blocking well know ports and applications Quote from block ports guide: You may call me paranoid, but steps described in the configure firewall guide were just a passive defense. I would like to take a more proactive approach against possible network attacks. During this step the following ports/applications will be blocked: 1. Windows RPC1) - TCP/UDP ports 1352), 5933), 49664-496754) 2. Windows Deployment Services (WDS)5) - TCP/UDP port 50406) Please note that by disabling NETBIOS ports you will be not able to share folders or disks from your computer any more. 3. NetBIOS7) Name Service - TCP/UDP port 137 8) 4. NetBIOS Datagram Service - TCP/UDP port 138 9) 5. NetBIOS Session Service - TCP/UDP port 13910) 6. TCP NetBIOS helper - TCP port 44511) 7. UPnP Service - TCP port 500012) 8. DNSCache Service - TCP/UDP port 535313) 9. Windows Update Delivery Optimization - TCP/UDP port 768014) 10. Windows Remote Desktop Protocol RDP - TCP port 338915) This is a function for managing rules creation. First it checks the existence of a rule with a given name and second create the rule if necessary after that. :inboundRule set "action=%~1" set "proto=%~2" set "port=%~3" set "serviceName=%~4" set "ruleName=_%action% %serviceName% %proto%-%port%" rem Select enabled inbound rule with the given name powershell -Command "& { try { $fw=New-object -comObject HNetCfg.FwPolicy2; $fw.rules | where-object { $_.Direction -eq 1 -and $_.Name -eq '%ruleName%' } | ForEach { exit 1 }; exit 0 } catch { write-host "\"Exception Message: $($_.Exception.Message)\"" -ForegroundColor Red; exit 2 } }" if ERRORLEVEL 2 exit /b 1 rem ERROR if ERRORLEVEL 1 exit /b 0 rem echo Already exists rem echo NOT FOUND echo %proto%: %port%, rule: %ruleName% netsh advfirewall firewall add rule dir=in action=%action% protocol=%proto% localport=%port% name="%ruleName%" || exit /b 1 exit /b 0 Here is code for disabling it all: echo == Creating explicit BLOCK rules for known Windows services == call :inboundRule block TCP 135 "Windows RPC" || goto :exitWithError call :inboundRule block UDP 135 "Windows RPC" || goto :exitWithError call :inboundRule block TCP 593 "Windows RPC" || goto :exitWithError call :inboundRule block UDP 593 "Windows RPC" || goto :exitWithError call :inboundRule block TCP 5040 "Windows RPC" || goto :exitWithError call :inboundRule block TCP 49664-49675 "Windows RPC" || goto :exitWithError call :inboundRule block UDP 49664-49675 "Windows RPC" || goto :exitWithError call :inboundRule block TCP 137 "NetBIOS Name Service" || goto :exitWithError call :inboundRule block UDP 137 "NetBIOS Name Service" || goto :exitWithError call :inboundRule block TCP 138 "NetBIOS Datagram Service" || goto :exitWithError call :inboundRule block UDP 138 "NetBIOS Datagram Service" || goto :exitWithError call :inboundRule block TCP 139 "NetBIOS Session Service" || goto :exitWithError call :inboundRule block UDP 139 "NetBIOS Session Service" || goto :exitWithError call :inboundRule block TCP 445 "TCP NetBIOS helper" || goto :exitWithError call :inboundRule block TCP 5000 "UPnP Service" || goto :exitWithError call :inboundRule block UDP 5353 "DNSCache Service" || goto :exitWithError call :inboundRule block UDP 5355 "DNSCache Service" || goto :exitWithError call :inboundRule block TCP 7680 "Windows Update Delivery Optimization" || goto :exitWithError call :inboundRule block UDP 7680 "Windows Update Delivery Optimization" || goto :exitWithError echo. echo Use the command to delete a created rule if you want to unblock a port: echo netsh advfirewall firewall delete rule protocol=^<tcp^|udp^> localport=^<port^> name="<rule>" Output: == Configuring firewall policy == deny ALL INCOMING connections with NO MATCHING rules and allow ALL OUTGOING connections Ok. To re-enable ALL INCOMING connections by default run the following command: netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound STEP 3. Allow selected inbound connections If you got the message Some error occurred! then you have to analyze output of the script and fix the problem by yourself before running the script again. attachment GitHub ShutupTelemetry.bat 1) Windows RPC general info Windows RPC 2) Port 135 3) Port 593 4) Ports 49664-49675 finger printing and port scanning 5) WDS general info 6) Port 5040 7) NetBIOS general info 8) NetBIOS Name Service port 137 9) NetBIOS Datagram Service port 138 10) NetBIOS Session Service port 139 11) TCP NetBIOS helper port 445 12) UPnP Service port 5000 13) DNSCache Service port 5353 14) DNSCache Service port 7680 15) Remote Desktop Protocol port 3389 Log In Detach Close This topic does not exist yet You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.