This is in regards to working on machines before joining the machine to a domain and although I would love to rely on GPO, that isn't an option at this time.
In the environment I'm working in, the firewall policy is to use a 3rd party Firewall app from an Total Endpoint Solution, so I have to disable the default Windows Firewall top prevent conflicts. I do this using a script that I run at the end of an imagine process or manually on systems I haven't reimaged. For a while, I was able to manage this using:
netsh advfirewall set allprofiles state off
However, that stopped working for some reason. So, I found I needed to clear the local security policy (manually):
Local Security Policy MSC > Windows Firewall with Advanced Security
Right-Click Windows Firewall with Advanced Security - Local Group Policy Object
Clear Policy
This was the script I used to avoid doing it manually:
secedit /configure /db reset /cfg securityprofile
A combination of both steps was working for about a month, then, for no apparent reason, it stopped working.
I began testing a registry hack to achieve what I needed, and it is giving me mixed results. I have two sets keys with profiles I need to change; for Local Profiles:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]
"EnableFirewall"=dword:00000000
For Domain Profiles:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000
The problem I'm having is that the Local Profile keeps regenerating the original settings with the firewall on. I've tried:
- a) Apply Both Registry Hacks
- b) Reboot
- Result on newly imaged machine) no luck
Result on old machine used for testing) good to go
a) Apply Local Policy Registry Hack
- b) Reboot
- Result on newly imaged machine) no luck
Result on old machine used for testing) good to go
a) use secedit to clear Local Security Policy
- b) Apply Both Registry Hacks
- c) Reboot
- Result on newly imaged machine) no luck
Result on old machine used for testing) good to go
a) use secedit to clear Local Security Policy
- b) Apply Local Policy Registry Hacks
- c) Reboot
- Result on newly imaged machine) no luck
- Result on old machine used for testing) good to go
My goal is to disable the Windows Firewall via script/automation. Any thoughts?
Note: this is prior to joining the machines to the domain. If I manually clear the Local Security Policy from the MSC, then the registry hacks will work. netsh still won't work and I don't want to have to manually clear the policy for every imaged machine.
I'd like to preface this by saying that I strongly urge anyone that disables their Windows firewall to take the time to understand how it works and how to manipulate it via GPO instead of outright turning it off. There's no reason to turn off a host-based firewall. Microsoft makes excellent tools to manage firewall rules, you should use them.
This TechNet article outlines the proper way to disable the Windows Firewall. Don't turn off the service like others have told you, that will put your server into an unsupported configuration and cause flakiness in various scenarios that are hard to troubleshoot.
From the TechNet article, the netsh syntax is
where valid values for profiles are: AllProfiles, CurrentProfile, DomainProfile, PrivateProfile, or PublicProfile.
It appears that you've already tried this exact command and it's not working. You've also pushed the registry keys that this command manipulates. Based on the fact that it used to work and now doesn't, and that these machines are not domain-joined at the time that you are doing this, there is only one conclusion:
There is something in your image that is overriding this. End of story. Since we don't have your image to look at, there's really no way we can give you a specific fix, other than "you're doing it right and if it doesn't work, something in your image is misconfigured"
Honestly, if you're having to run
secedit /configure /db reset /cfg securityprofileon your images along with all of this other stuff, you might just be better off making a new image with everything the way you want it.Errr, tidy up your GPOs, and disable it there. Or, at the very least, create a new GPO at the top of the stack (highest precedence) and disable the firewall. Then go back and tidy your other GPOs later. Local Security policy gets overridden by GPOs, and the first area of the registry you're writing to is specifically for GPO processing.
Short answer... Group Policy. Long answer... Group Policy. (sorry!)
Found the problem. MDT was applying a Local Group Policy at the end of it's task sequence after installing my image, which was disabling access to any changes to the local security policy, even by administrators (via command prompt commands, registry, etc...). This is odd, since it's a default policy that comes with MDT. Regardless, removing this task sequence allows me to turn off the firewall using netseh:
As a note; I agree with everyone that you shouldn't disable your firewall service and you shouldn't turn off your firewall.