Is anyone monitoring whether the local Windows firewall has been turned off on SCOM monitored servers, and if so how? Is there a nice and easy PowerShell oneliner I could implement?
Thanks!
1 Like
Hey Peter,
I had the same idea and tried very hard. Finally I gave up. Here is why:
In our environment with use GPOs to for firewall rules
I only know that you can get some details about the firewall when running the following command:
netsh advfirewall show allprofiles
When testing I found that this command doesn’t give reliable information. - Please try it yourself and let me know if it works.
In case it works fine for you, I can help you with a PowerShell script that you can use in the PowerShell.Community.MP.
Best regards
Ruben
1 Like
Query the registry?
Something like this? (tested on win2016):
PS>(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile).EnableFirewall
PS>(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall
PS>(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile).EnableFirewall
Thx&Rgds - M.
2 Likes
Hi Marcus,
do these values change when you disable the firewall? - E.g. if you disable the public profile for instance, how will those registry values look like?
Ruben
1 Like
On 2016, yes (did not test other OS versions, but I’m assuming it’s probably similar, if not the same).
Enabled returns 1
Disabled returns 0
Note: the StandardProfile key is the key for the Private Profile in the GUI
Thx&Rgds - M.
1 Like
Another thing I have been trying to get an alert for regarding firewall status. Is what profile that is active. We had a problem when some machines entered public-network instead of domain. And then the firewall rules was all wrong for that computer.
Thanks Marcus, used this and the Community PowerShell management pack to create a 2 state monitor.
Hi All, I’ve updated my Windows Domain firewall monitor, it’s a bit crude but it seems to work:
param([string]$Arguments)
$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$PropertyBag = $ScomAPI.CreatePropertyBag()
#get Windows Domain FW state from Registry
$FWState=(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall
$PropertyBag.AddValue("FWState",$fwstate)
$fwoff = Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.Id -eq 2003 -and $_.Message -clike "*Enable*" -and $_.Message -clike "*No*"}
$SID = $fwoff.properties.value.value
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$PropertyBag.AddValue("username: ", $objUser.Value)
# Send output to SCOM
$PropertyBag
Unhealthy Expression is:
Property[@Name=‘FWState’] Equals 0
Healthy Expression is:
Property[@Name=‘FWState’] Equals 1
Alert description is:
'The Windows Firewall (Domain) has been disabled by $Data/Context/Property[@Name='username: ']$
This is calculated by a customer monitor using a PowerShell Script that queries the registry every 15 minutes for the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall.’
looks like:
2 Likes
Hi Peter! Late response 
Im getting the following error:
New-Object : Cannot find an overload for “SecurityIdentifier” and the argument count: “4”.
Any ideas?
Not sure, but I updated the script recently, so maybe try:
param([string]$Arguments)
$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$PropertyBag = $ScomAPI.CreatePropertyBag()
#get Windows Domain FW state from Registry, 0 is off
$FWState=(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall
$PropertyBag.AddValue("FWState",$fwstate)
$fwoff = Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.Message -clike "*Enable*" -and $_.Message -clike "*No*"}
$Results = foreach ($event in $fwoff) {
$SID = $event.properties.value.value
$objSID = New-Object System.Security.Principal.SecurityIdentifier -ArgumentList $SID
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
[PSCustomObject]@{
TimeCreated = $event.TimeCreated
User = $objUser
}
}
$Results
$PropertyBag.AddValue("username:",$objUser.Value)
# Send output to SCOM
$PropertyBag
That’s a 2 state powershell monitor targeted at the Windows Server Class
Unhealthy Expression is ‘Property[@Name=‘FWState’] Equals 0’
Healthy Expression is ‘Property[@Name=‘FWState’] Equals 1’
Alert description text:
The Windows Firewall (Domain) has been disabled by $Data/Context/Property[@Name=‘username:’]$
This is calculated by a custom monitor using a PowerShell Script that queries the registry every 15 minutes for the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall.