XP SP2 Firewall

[unonthedl]

For Christ's sake, if you are running Windows XP SP2 in an enterprise environment turn off that pesky firewall now!!! I have a client with 140+ machines that wants to distribute clients to machines (for inventory - express metrix & websense net agents) via the server, but you can't with that damn firewall enabled...and yes you MUST have admin access to the local box which means I have to walk to every damn machine (yea I can use a script but someone still has to be there to login in to run it). Anyway...that is all...I'm done...

PS Thanks for creating a place for me to vent...I feel better...suggestions are welcome...

[Maverick811]

LOL, I know what you are saying - that's one of the first services/applicatons that I shut down when setting up a new box on my network. All of the users on my network are behind my corporate firewall and I see no need for each client PC to be running Windows Firewall - I know some will disagree, but that's how it's done on my network....

[guardian alpha]

I understand your pain. While the default firewall may be enough for general users it simply doesn't cut it when you get down to the integrity of your networks. Unfortunatally the only way you could disable the firewall in SP2 remotely is for a remote-desktop session, since they did not code in any sort of remote firewall management.

You may or may not already have a script to disable the firewall, but if not (and for the readers) here you go:

Code:

On Error Resume Next   ' suppress errors
Set objFirewall = CreateObject("HNetCfg.FwMgr")
If Err.Number = 0 Then
' Object created ok, continue with disabling the FW
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = False
End If
On Error Goto 0

Plug that into a file such as firewall.vbs and save it. Give it a run

This will completely disable the firewall for XP SP2 without the continual configuration menus you would normally have to go through. Email it to yourself or even slap it on a floppy/usb drive for speed rather than rewrite it each time.

[unonthedl]

Alpha: thanks for the script, but yes, I do already have it and it's part of my logon script so all I have to do is log on to each machine and then remove that portion of the logon script when I am done with all the machines.

[Falcis]

Just curious why you would not want to go ahead and make that a part of the general login script rather than going from machine to machine. Did I miss why that won't work?

Falcis

[unonthedl]

The people who logon to the machines are not part of the admin group meaning they don't have admin privlages meaning the script would fail. You must be an admin to disable the firewall, therefore I must walk to all machines and run the script myself.

[warl0ck7]

Download psexec from www.sysinternals.com

put your machine ips in a file say file.txt

c:\>for /f %i in (file.txt) do psexec \\%i -u administrator -p <password here> sc stop SharedAccess

this should stop the firewall, if you wish to disable it compeletly

try sc delete SharedAccess

[unonthedl]

Download psexec from www.sysinternals.com

put your machine ips in a file say file.txt

c:\>for /f %i in (file.txt) do psexec \\%i -u administrator -p <password here> sc stop SharedAccess

this should stop the firewall, if you wish to disable it compeletly

try sc delete SharedAccess

So I tried this and got an error "ip.txt (my file name) was unexpected at this time"

So then I tried c:\>psexec -i @ip.txt -u administrator -p <password> sc stop (also tried delete) SharedAccess

and got this...

Code:

PsExec v1.63 - Execute processes remotely
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

\\10.0.1.74:
Couldn't access 10.0.1.74:
The network path was not found.

I'm guessing this didn't work because the firewall wasn't disabled so I couldn't access the machine remotly.

HELP!

[slarty]

One difficulty with this is if you have laptop users, particularly if they have WLAN cards, then they may take their machines out to various other sites.

There having the firewall disabled is much less of a good idea.

Then they'll bring all sorts of nasties back in with them when they return. I wonder if there's a recipe which can make it turn off only when logged on to your nice safe lan?

Slarty

[!mitationRust]

Originally posted here by slarty
I wonder if there's a recipe which can make it turn off only when logged on to your nice safe lan?

Slarty

I'm on it right now, thumbing through Tim hill's NT shell scripting book. I know some people that can make some very robust hardcore batch scripts. Since the firewall is a NT native .exe it shouldn't be that difficult. I'll be back with something.