How to turn off Windows 7 Firewall via script or through automation

scriptingvbscriptwindows 7windows-firewallwindows-registry

This is in regards to working on machines before joining the machine to a domain and although I would love to rely on GPO, that isn't an option at this time.

In the environment I'm working in, the firewall policy is to use a 3rd party Firewall app from an Total Endpoint Solution, so I have to disable the default Windows Firewall top prevent conflicts. I do this using a script that I run at the end of an imagine process or manually on systems I haven't reimaged. For a while, I was able to manage this using:

netsh advfirewall set allprofiles state off

However, that stopped working for some reason. So, I found I needed to clear the local security policy (manually):

Local Security Policy MSC > Windows Firewall with Advanced Security
Right-Click Windows Firewall with Advanced Security - Local Group Policy Object
Clear Policy

This was the script I used to avoid doing it manually:

secedit /configure /db reset /cfg securityprofile

A combination of both steps was working for about a month, then, for no apparent reason, it stopped working.

I began testing a registry hack to achieve what I needed, and it is giving me mixed results. I have two sets keys with profiles I need to change; for Local Profiles:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]
"EnableFirewall"=dword:00000000

For Domain Profiles:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000

The problem I'm having is that the Local Profile keeps regenerating the original settings with the firewall on. I've tried:

  • a) Apply Both Registry Hacks
  • b) Reboot
  • Result on newly imaged machine) no luck

  • Result on old machine used for testing) good to go

  • a) Apply Local Policy Registry Hack

  • b) Reboot
  • Result on newly imaged machine) no luck

  • Result on old machine used for testing) good to go

  • a) use secedit to clear Local Security Policy

  • b) Apply Both Registry Hacks
  • c) Reboot
  • Result on newly imaged machine) no luck

  • Result on old machine used for testing) good to go

  • a) use secedit to clear Local Security Policy

  • b) Apply Local Policy Registry Hacks
  • c) Reboot
  • Result on newly imaged machine) no luck
  • Result on old machine used for testing) good to go

My goal is to disable the Windows Firewall via script/automation. Any thoughts?

Note: this is prior to joining the machines to the domain. If I manually clear the Local Security Policy from the MSC, then the registry hacks will work. netsh still won't work and I don't want to have to manually clear the policy for every imaged machine.

Best Answer

I'd like to preface this by saying that I strongly urge anyone that disables their Windows firewall to take the time to understand how it works and how to manipulate it via GPO instead of outright turning it off. There's no reason to turn off a host-based firewall. Microsoft makes excellent tools to manage firewall rules, you should use them.

This TechNet article outlines the proper way to disable the Windows Firewall. Don't turn off the service like others have told you, that will put your server into an unsupported configuration and cause flakiness in various scenarios that are hard to troubleshoot.

From the TechNet article, the netsh syntax is

netsh advfirewall set profiles state off

where valid values for profiles are: AllProfiles, CurrentProfile, DomainProfile, PrivateProfile, or PublicProfile.

It appears that you've already tried this exact command and it's not working. You've also pushed the registry keys that this command manipulates. Based on the fact that it used to work and now doesn't, and that these machines are not domain-joined at the time that you are doing this, there is only one conclusion:

There is something in your image that is overriding this. End of story. Since we don't have your image to look at, there's really no way we can give you a specific fix, other than "you're doing it right and if it doesn't work, something in your image is misconfigured"

Honestly, if you're having to run secedit /configure /db reset /cfg securityprofile on your images along with all of this other stuff, you might just be better off making a new image with everything the way you want it.

Related Topic