FREE hit counter and Internet traffic statistics from freestats.com

Wednesday, June 02, 2004

Windows XP Service Pack 2 and the Windows Firewall

At TechEd (DEV370) Jon Box and I discussed programmatically manipulating the Windows Firewall so that you could write code to prompt the user at install time to add the application or its ports to the application permissions list. This is important on boxes with SP2 since the firewall will be on by default. As a result any application that accepts inbound connections (without first making an outbound connection to the host) will have their communications blocked.

Unfortunately, in the RC1 version the type libray that you'll need for creating objects to manipulate the firewall are not created for you. This means that you either have to create a factory class to handle it or create your own type library using the MIDL compiler over the NetFw.h file in the SDK.

In the talk we showed a factory class that Jon wrote that creates the INetFwMgr object that is the entry point into managing the firewall, the INetFwProfile object used to manipulate profiles, the INetFwAuthorizedApplication object to handle adding applications to the permissions list, and the INetFwOpenPort object used to add a port to the permissions list. The sealed class looks as follows.



Public NotInheritable Class XPSP2Wrapper

Private Sub New()
End Sub

Public Shared Function GetFwMgr() As NetFwTypeLib.INetFwMgr
Dim oINetFwMgr As NetFwTypeLib.INetFwMgr
Dim NetFwMgrObject As Object
Dim NetFwMgrType As Type

' Here's how you use the COM CLSID to get the associated .NET System.Type
NetFwMgrType = Type.GetTypeFromCLSID(New Guid("{304CE942-6E39-40D8-943A-B913C40C9CD4}"))

' Create an instance of the object
NetFwMgrObject = Activator.CreateInstance(NetFwMgrType)
oINetFwMgr = NetFwMgrObject

Return oINetFwMgr
End Function

Public Shared Function GetProfile() As NetFwTypeLib.INetFwProfile
Dim oINetPolicy As NetFwTypeLib.INetFwPolicy
Dim oINetFwMgr As NetFwTypeLib.INetFwMgr

'Get FwMgr COM object
oINetFwMgr = GetFwMgr()

'Create object representing Local Policy
oINetPolicy = oINetFwMgr.LocalPolicy
Return oINetPolicy.CurrentProfile
End Function

Public Shared Function CreateAuthorizedApplication() As NetFwTypeLib.INetFwAuthorizedApplication
Dim oComObject As Object
Dim oType As Type
Dim oIAuthApp As NetFwTypeLib.INetFwAuthorizedApplication

'Here's how you use the COM CLSID to get the associated .NET System.Type
oType = Type.GetTypeFromCLSID(New Guid( _
"{EC9846B3-2762-4A6B-A214-6ACB603462D2}"))

' Create an instance of the object
oComObject = Activator.CreateInstance(oType)

'cast to proper interface
oIAuthApp = oComObject

Return oIAuthApp
End Function

Public Shared Function CreateOpenPort() As NetFwTypeLib.INetFwOpenPort
Dim oComObject As Object
Dim oType As Type
Dim oIOpenPort As NetFwTypeLib.INetFwOpenPort

'Here's how you use the COM CLSID to get the associated .NET System.Type
oType = Type.GetTypeFromCLSID(New Guid( _
"{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}"))

' Create an instance of the object
oComObject = Activator.CreateInstance(oType)

'cast to proper interface
oIOpenPort = oComObject

Return oIOpenPort
End Function

Public Shared Function GetStatusDesc( _
ByVal status As NETCONLib.tagNETCON_STATUS) As String

Select Case status
Case NETCONLib.tagNETCON_STATUS.NCS_AUTHENTICATING
Return "Authenticating"
Case NETCONLib.tagNETCON_STATUS.NCS_AUTHENTICATION_FAILED
Return "Auth Failed"
Case NETCONLib.tagNETCON_STATUS.NCS_AUTHENTICATION_SUCCEEDED
Return "Auth Succeeded"
Case NETCONLib.tagNETCON_STATUS.NCS_CONNECTED
Return "Connected"
Case NETCONLib.tagNETCON_STATUS.NCS_CONNECTING
Return "Connecting"
Case NETCONLib.tagNETCON_STATUS.NCS_CREDENTIALS_REQUIRED
Return "CredReq"
Case NETCONLib.tagNETCON_STATUS.NCS_DISCONNECTED
Return "Disconnected"
Case NETCONLib.tagNETCON_STATUS.NCS_DISCONNECTING
Return "Disconnecting"
Case NETCONLib.tagNETCON_STATUS.NCS_HARDWARE_DISABLED
Return "Hardware disabled"
Case NETCONLib.tagNETCON_STATUS.NCS_HARDWARE_MALFUNCTION
Return "Hardware malfunctioned"
Case NETCONLib.tagNETCON_STATUS.NCS_HARDWARE_NOT_PRESENT
Return "Hardware not present"
Case NETCONLib.tagNETCON_STATUS.NCS_INVALID_ADDRESS
Return "Invalid Address"
Case NETCONLib.tagNETCON_STATUS.NCS_MEDIA_DISCONNECTED
Return "Media Disonnected"
End Select

End Function

End Class

We then use the factory methods in private methods within a Windows Installer class (inherited from Installer) that adds and removes an application from the permissions list.


Private Sub AddToPermissionsList(ByVal name As String, ByVal imageName As String, _
ByVal enabled As Boolean, ByVal profile As INetFwProfile)
' Add the application to the Windows Firewall Permissions List

Dim app As INetFwAuthorizedApplication = XPSP2Wrapper.CreateAuthorizedApplication

app.Enabled = enabled
app.Scope = scope
app.Name = name
app.ProcessImageFileName = imageName
profile.AuthorizedApplications.Add(app)
End Sub

Private Sub RemoveFromPermissionsList(ByVal imageName As String, ByVal profile As INetFwProfile)
' Remove the application from the Windows Firewall Permissions List
profile.AuthorizedApplications.Remove(imageName)
End Sub

These methods are called from the overridden Uinstall and Install methods. For example, the Install method of the installer class calls a private GetArgs method that collects the arguments passed in through the CustomActionData property and then uses the arguments to add the application to the permissions list. The arguments are collected from custom dialogs in the setup application that ask the user if the application can be added to the permissions list.


Public Overrides Sub Install(ByVal state As IDictionary)
GetArgs()
MyBase.Install(state)

Dim objV4Mgr As INetFwMgr

Try
objV4Mgr = XPSP2Wrapper.GetFwMgr
Catch ex As Exception
' Could not instantiate so perhaps not running XPSP2
Context.LogMessage("Could not instantiate NetFwV4Mgrclass [" & ex.Message & "]")
Return
End Try

Try
' Add the application to the permissions list
AddToPermissionsList(name, image, appEnabled, _
objV4Mgr.LocalPolicy.CurrentProfile)
Catch e As Exception
Context.LogMessage(e.Message)
Throw New InstallException(e.Message)
End Try
End Sub

Of course the user running the installation application must be logged on as an Administator on the box.

2 comments:

Cyber solution said...

Med ett nummer av kvalitets- testa körningen på kopian rolex replica , dessa stag för klockor säkert, som på det maximalt serva sammanlagt busen, och busen villkorar.

Muhammad said...

Nós podemos fornecer uma escala larga da réplica replica Rolex Submariner em nosso Web site para selecionar e comprar de.