netsh firewall /? netsh firewall show state netsh firewall show allowedprogram netsh firewall show portopening netsh firewall set opmode disable netsh firewall set opmode enable netsh firewall add allowedprogram ... netsh firewall add portopening ... netsh firewall add allowedprogram c:\path\to\app.exe xappx netsh firewall add portopening TCP 3389 RDP enable any netsh firewall add portopening TCP 80 HTTP enable subnet netsh firewall add portopening UDP 137 SMB enable subnet netsh firewall add portopening UDP 138 SMB enable subnet netsh firewall add portopening TCP 139 SMB enable subnet netsh firewall add portopening TCP 445 SMB enable subnet -------------------------------------------------------------------------------- Remotely Disable Windows Firewall if NetBIOS is Accessible: o psexec \\remotehost cmd o netsh firewall set opmode disable -------------------------------------------------------------------------------- netsh firewall add portopening ... netsh firewall add portopening PROTOCOL PORT NAME MODE SCOPE ADDRESS PROFILE INTERFACE [ protocol = ] TCP|UDP|ALL [ port = ] 1-65535 [ name = ] name [ [ mode = ] ENABLE|DISABLE [ scope = ] ALL|SUBNET|CUSTOM [ addresses = ] addresses [ profile = ] CURRENT(default)|DOMAIN|STANDARD|ALL [ interface = ] name ] Remarks: 'profile' and 'interface' may not be specified together. 'scope' and 'interface' may not be specified together. 'scope' must be 'CUSTOM' to specify 'addresses'. Examples: add portopening TCP 80 xHTTPx add portopening UDP 500 IKE ENABLE ALL add portopening ALL 53 DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet add portopening protocol = TCP port = 80 name = MyWebPort add portopening protocol = UDP port = 500 name = IKE mode = ENABLE scope = ALL add portopening protocol = ALL port = 53 name = DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet netsh firewall add allowedprogram ... [ program = ] path [ name = ] name [ [ mode = ] ENABLE|DISABLE [ scope = ] ALL|SUBNET|CUSTOM [ addresses = ] addresses [ profile = ] CURRENT(default)|DOMAIN|STANDARD|ALL ] Remarks: 'scope' must be 'CUSTOM' to specify 'addresses'. Examples: add allowedprogram c:\path\to\app.exe xapp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet add allowedprogram program = c:\path\to\app.exe name = xapp mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet -------------------------------------------------------------------------------- now > %temp%/%computername%-fwe.log netsh firewall show allowedprogram >> %temp%\%computername%-fwe.log netsh firewall show portopening >> %temp%\%computername%-fwe.log copy /Y %temp%\%computername%-fwe.log \\fileserver\FirewallExceptions -------------------------------------------------------------------------------- Disabling the Windows Firewall Using Group Policy o Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall Domain Profile: Standard Profile: disabled: Windows Firewall: Protect all network connections o Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall enabled: Prohibits use of Internet Connection Firewall on your DNS domain network o Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. o Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. o If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. o Note: If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. -------------------------------------------------------------------------------- Disabling the Windows Firewall Using Local Policy This method is for IT administrators with administrative access to unmanaged systems or locally managed systems where the machine is not part of a Windows 2000 or higher domain. start/run: gpedit.msc Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall Standard Profile disabled: Windows Firewall: Protect all network connections Domain Profile disabled: Windows Firewall: Protect all network connections