Configure the firewall profile with DSC (Part 1)

I was preparing a DSC configuration for a new server this week and after configuring firewall rules with the xNetworking DSC resources available on the PowerShell Gallery, I realized that having only rules without configuring the firewall profiles is wrong.

Keep in mind DSC is for compliance not security.
CBHOONyWEAEHnWr
In my opinion, we should first configure the firewall rules AND then the firewall profiles.
If you’ve got the rules and an admin turns the firewall off, DSC will either tell you and/or fix the problem depending on the way you configured the ConfigurationMode of the LCM (Local Configuration Manager)
In this case, I’d suggest that the xfirewall DSC should be renamed to xFirewallRule and a new DSC resource xFirewallProfile should be added.

As I was in a hurry, here is the quick and dirty way I used to configure the firewall profiles:

#region WFProfile
Script ApplyFirewallProfile {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = (Get-NetFirewallProfile -All | Select Name,Enabled,Default*)
}
}
SetScript = {
Set-NetFirewallProfile -All -Enabled 'True' -DefaultInboundAction 'Block' -DefaultOutboundAction 'Allow'
}
TestScript = {
$local:problem = $false
Get-NetFirewallProfile -All | ForEach-Object {
if (-not($_.Enabled)) {
Write-Verbose "Firewall profile $($_.Name) is not Enabled"
$local:problem = $true
}
if ($_.DefaultInboundAction -ne 'Block') {
Write-Verbose "Firewall profile $($_.Name) Default Inbound Action is not Block"
$local:problem = $true
}
if ($_.DefaultOutboundAction -ne 'Allow') {
Write-Verbose "Firewall profile $($_.Name) Default Outbound Action is not Allow"
$local:problem = $true
}
}
if ($local:problem) {
Write-Verbose 'Returning false'
return $false
} else {
Write-Verbose 'Returning true'
return $true
}
}
DependsOn = '[xFirewall]Firewall-WINRM-HTTP-In-TCP'
}
#endregion WFProfile

As you can see, I had to explicitly use scopes inside the TestScript block.
In the meantime, I’ve discovered what scopes can be used inside a Tescript block. Using the global or local scope worked but not the script scope.
Using the Set-Variable to define the problem variable in the parent scope didn’t work either.

You may also have noticed that I’ve hardcoded the firewall state, its DefaultInboundAction and DefaultOutboundAction properties.
We’ll see in Part 2 how to create a proper DSC resource and use these as parameters.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.