Firewall
To make the environment more secure it’s important to properly define and configure the firewall of your machines. However, there might be times when a specific executable must be added as an exception to the Inbound or Outbound rules of the firewall in order to have access.
In this article, let’s have a look at how you can configure firewall rules via MSI with Advanced Installer, VBScript and Powershell.
Firewall rules with VBScript
Although you can use the HNetCfg.FwAuthorizedApplication object with VBScript to define firewall rules, the easiest method is to call the netsh.exe utility that it’s included in Windows. This command-line utility allows you to modify the network configuration of a certain machine that is currently running. One of the commands available for netsh is advfirewall which allows you to change to the netsh advfirewall context. Jumping further into the context, you can type
netsh advfirewall firewall
Into a cmd window and this will give you the following options:
? - Displays a list of commands. add - Adds a new inbound or outbound firewall rule. delete - Deletes all matching firewall rules. dump - Displays a configuration script. help - Displays a list of commands. set - Sets new values for properties of a existing rule. show - Displays a specified firewall rule.
So basically if we want to add a firewall rule we can use:
netsh.exe advfirewall firewall add rule name=FRIENDLYNAME dir=IN/OUT action=ALLOW/DENY program=PATHTOEXE enable=YES/NO profile=domain
If we want to remove a firewall rule we can use:
netsh.exe advfirewall firewall delete rule name=FRIENDLYNAME
Now that we are aware of how netsh is working with firewall rules, let’s assume we have a HelloWorld.exe that we want to add to the inbound firewall and we want to allow everything. With VBScript we can produce the following:
Dim WshShell Dim programPath2, programfiless, programfiles Set WshShell = CreateObject("Wscript.Shell") programfiless=WshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%") programfiles=WshShell.ExpandEnvironmentStrings("%ProgramW6432%") ProgramPath2 = programfiless & "\Program Files (x86)\Caphyon\Firewall App\HelloWorld.exe" WshShell.Run "netsh.exe advfirewall firewall add rule name=HelloWorld dir=in action=allow program=" & chr(34) & ProgramPath2 & chr(34) & " enable=yes profile=domain ", 0, False
This VBScript performs the following actions:
- Dim WshShell: Declares a variable named WshShell to hold a reference to the Windows Script Host Shell object.
- Dim programPath2, programfiless, programfiles: Declares variables to store the paths of program files.
- Set WshShell = CreateObject("Wscript.Shell"): Creates an instance of the Windows Script Host Shell object.
- programfiless = WshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%"): Retrieves the path of the "Program Files (x86)" folder using the %ProgramFiles(x86)% environment variable.
- programfiles = WshShell.ExpandEnvironmentStrings("%ProgramW6432%"): Retrieves the path of the "Program Files" folder using the %ProgramW6432% environment variable.
- ProgramPath2 = programfiless & "\Program Files (x86)\Caphyon\Firewall App\HelloWorld.exe": Concatenates the program file path with the specific file name to create the full path of the executable file "HelloWorld.exe".
- WshShell.Run "netsh.exe advfirewall firewall add rule name=HelloWorld dir=in action=allow program=" & chr(34) & ProgramPath2 & chr(34) & " enable=yes profile=domain ", 0, False: Runs the netsh.exe command to add a firewall rule named "HelloWorld" with the specified properties. The command allows incoming traffic (dir=in), allows the specified program (program=) with the path of "HelloWorld.exe", enables the rule (enable=yes), and applies the rule to the domain profile.
Next, open Advanced Installer and navigate to the Custom Actions Page. In here, search for the Launch attached file and select the location of the VBScript. Next, configure the custom action to execute as shown below:
As a best practice it’s also important to remove the firewall rule during the uninstallation. For that, it means we need another Custom Action and a different VBScrit to remove our rule. The VBScript code is:
Dim WshShell Set WshShell = CreateObject("Wscript.Shell") WshShell.Run "netsh.exe advfirewall firewall delete rule name=HelloWorld"
After that, follow the same exact steps as above and configure the custom action as following:
Firewall rules with PowerShell
While netsh is still available and widely used by the community, starting with Windows 8.1 you can use the buit-in NetSecurity PowerShell module to manage firewall operations.
In general, there are 85 commands available in this module that you can use in Windows 10/11, but we are only interested in two of them. To add a firewall rule you can simply do:
$HelloWorldLocation = ${env:ProgramFiles(x86)} + "\Caphyon\Firewall App\HelloWorld.exe" New-NetFirewallRule -Program $HelloWorldLocation -Action Allow -Profile Domain -DisplayName “HelloWorld” -Description “Block Firefox browser” -Direction Inbound
To remove a firewall rule is even simpler as we only use the Remove-NetFirewallRule PowerShell cmdlet:
Remove-NetFirewallRule -DisplayName "HelloWorld"
Next, open Advanced Installer and navigate to the Custom Actions Page. In here, search for the Run PowerShell script file and select the location of the PowerShell script. Next, configure the custom action to execute as shown below:
To also add the remove firewall PowerShell script, follow the same steps as above and do the following configurations:
Firewall rules with Advanced Installer
If you don’t like to code, Advanced Installer made it much simpler to add firewall rules. First, navigate to the Windows Firewall page.
Next, click on New Rule. This will open a new window in which you can define the necessary details for your exception:
As you can see, you can easily choose the direction, display name, program path, protocol and other settings directly from the GUI. In our case we wanted to mimic the above usages of netsh and PowerShell and left everything as before in the GUI.
And that is it, Advanced Installer will automatically create the exception during the installation and during the uninstallation it will remove the exception from the firewall, not needing to create two separate actions for it.
All you have to do is build and install the MSI package. After the installation, if we check the Inbound rules, our rule is there: