Re: XP Firewall Status via SMS\SCCM?

I don't think my last message made it into the newsgroup; so trying again.
If this ends up a duplicate; sorry.

Basically: Failure.

Problem #1: in root\microsoft\homenet, the hnet_connectionproperties class,
the keyfield of Connection is a reference type, so it 'references' another
area of WMI (Hnet_connection), and sms_def.mof doesn't appear to like a
Reference type. At least I got zero results when I tried.

Problem #2: On my XP test box, when I had the firewall on vs. off; nothing
changed anyway in the hnet_connectionproperties about true vs. false for
"isfirewallenabled", so I think it's the same issue as seen with the service:
it may be running, but whether or not it's on vs. off isn't reflected in this
wmi area. Or I've picked on the completely wrong wmi namespace; but my
search didn't reveal a different wmi namespace than this one for figuring
that out.

So. My suggestion is back to using GPOs to confirm that if you've mandated
a firewall setting via GPO, that the GPO is applied to that box. If you're
using SMS2003, use one of the MOF edits I outlined. If you're using
Configuration Manager, instead of a MOF edit you could instead use Desired
Configuration Management to check GPOs.

"Sherry Kissinger [MVP]" wrote:

Hey Russ/Garth, I've got time to throw a mof edit together, but not
necessarily the time to test this.

I'm thinking you'll want 2 additional things added to sms_def.mof (it's in
wmi, so no edits needed to configuration.mof, and no mofcomp's necessary on
your clients if you are still sms2003). The reason is in my opinion, the
data you need is in two wmi classes: 1 to get TRUE/FALSE about enabled, and
another to link which is which if you happen to have multiple network
connections. Probably not too often; but I noticed on 1 test box I have that
I did have two nics; and would need to know if firewall was enabled on 1, and
not on the other.

Hmm... in looking at wmi in Hnet_ConnectionProperties, one of the fields is
a "Reference" type. I've never done a 'reference'. String, boolean, int16
int32 int64, sure, but never reference. I might have to test this one!

the other class is hnet_connection in root\microsoft\homenet. That was is
straight-forward; but it's only useful if I can get
hnet_connectionproperties. I'll have to play for a bit and get back to you.

If it get it working, I'll blog it on
http://myitforum.com/cs2/blogs/skissinger.

Oh, by the way, there is a firewall edit in the Mini Monster Mof builder;
but it's really just to check whether or not the firewall policy is on or
not. Since it sounds like you aren't checking for that, i.e., you don't
actually have a policy, just are trusting that people are leaving the
firewall enabled, and that's why you are checking this way?

If you do have a GPO to keep firewall on, there's also an edit to grab GPO
information from your clients (see my blog). Maybe either one of those will
be adequate. (Especially if I can't figure out the CIM_Reference typy of WMI
edit)

"Garth Jones" wrote:

My quick look at this, says it can be done but it would take more than a few
minutes to do and test. I’m booked solid until after www.mms-2009.com is
over. If you are lucky Sherry will pop her head in a say Russ/Garth, I’ve
got time to do and test this.





"Russ" <Russ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1CA0981B-AF6C-4256-A178-04124D98DB8A@xxxxxxxxxxxxxxxx
Hi - Does anyone know of a way to determine if the XP firewall is on
within
SMS\SCCM? I can tell if the service is on, but the firewall can still be
turned off while the service is still running. Cheers!

--
Desktop Engineer

.

Relevant Pages

  • Re: XP Firewall Status via SMSSCCM?
    ... wmi area. ... a firewall setting via GPO, that the GPO is applied to that box. ... instead of a MOF edit you could instead use Desired ...
    (microsoft.public.sms.admin)
  • Re: Need help modifying Group Policy
    ... the Firewall attributes, I was looking at the report, not the editor. ... which of the two SBS Client ... Computer GPO should I edit? ...
    (microsoft.public.windows.server.sbs)
  • Re: XP Firewall Status via SMSSCCM?
    ... Hey Russ/Garth, I've got time to throw a mof edit together, but not ... wmi, so no edits needed to configuration.mof, and no mofcomp's necessary on ... Oh, by the way, there is a firewall edit in the Mini Monster Mof builder; ...
    (microsoft.public.sms.admin)
  • Re: allow standard user to install drivers
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: SECURITE ... GPO: Default Domain Policy ... GPO: FIREWALL ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing firewall settings in Group Policy Editor
    ... Small Business Server Internet Connection Firewall ... Add a GPO with the required exceptions so the all PCs are affected. ... double-click Windows Firewall: ...
    (microsoft.public.windows.server.sbs)
Loading