Scanning for Firewall Enabled

Purpose:

You wish to scan to see whether or not the firewall is enabled on each firewall profile.

Resolution:

This information may be found in the Registry under the following keys for each of the three firewall profiles:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall

Create a scan profile (or edit an existing one) and add a Registry scanner with the following patterns:

1.png

Once scanned, your computers should have three entries with the value name EnableFirewall with a value of either 1 (enabled) or 0 (disabled).

2.png

You may then create collections/reports that filter on these values. For example, the following collection would find any computer that the domain firewall profile is disabled on.

3.png

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.