I found that GP applied rules are in the registry at HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules, and locally applied rules are at HKLM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
I going to try to use Regkeytomof to extend inventory mof files to collect keys in those places. For at least Remote Desktop. That way I should be able to report on everything that has a local RDP rule to start. I can think about a DCM rule to remove the local rule later when we get around to remediating that. Todd From: [email protected] [mailto:[email protected]] On Behalf Of Mike Dzikowski Sent: Tuesday, November 10, 2015 11:24 PM To: [email protected] Subject: RE: [mssms] inventory firewall rules? A good way to do this would be with a DCM rule. You could write a rule to detect if the GPO is enabled by query this class in WMI class RSOP_GPO { string id; string name = ""; string guidName = ""; uint32 version = 0; boolean enabled = TRUE; uint8 securityDescriptor[]; string fileSystemPath = ""; boolean accessDenied = FALSE; string filterId = ""; boolean filterAllowed = TRUE; string extensionIds[]; }; You'll need the GUID of the GPO and enabled, properties of RSOP_GPO. Mike D- ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: [mssms] inventory firewall rules? Date: Tue, 10 Nov 2015 22:34:54 +0000 Can SCCM do it? Discovered today that local any-any RDP rules apply even when domain GPO RDP rules are applied at the same time. I was able to RDP to a resource from someplace I should not have been able to. With the exit of XP/2003 we can now write policies for just the advanced firewall, but I need to know where local rules are in place, and what they are. How can I collect them/report on them? Compliance items? Todd Todd Mote, MCP, MCSA+Messaging, MCSE | [email protected]<mailto:[email protected]> Enterprise Systems Management | Information Technology Services | The University of Texas at Austin
