In our application deployment process, we have a multitude of PowerShell scripts that execute to automate this process. To help make this process as secure as possible, we only give the service account used to run these processes the least amount of permissions needed. During the deployment process, we would like to block access into the system by enabling/disabling Windows Firewall rules. My problem is that in this Windows Server 2008 environment, Im unable to find a way to give the service account access to only a select few Windows Firewall rules, so we can also automate the enable/disable of firewall rules. I am aware that the service account can be added to groups to give it access to enable/disable all Windows firewall rules, but giving this account access to all Windows Firewall rules opens up a security risk that we would like to avoid.

JSKoons, It sounds like you are over complicating this. Are you just trying to take the server out of a pool of servers for use by enabling the firewall rule? There is a much more simplistic way of doing that.... #1 Why are you disabling the ports on the system? #2 What account is the script running under in the first place? #3 How are you enabling/disabling the rules? #4 What ports are you looking at restricting? #5 Is this AD integrated? I should be able to help if I get more information.

JSKoons, It sounds like you are over complicating this. Are you just trying to take the server out of a pool of servers for use by enabling the firewall rule? There is a much more simplistic way of doing that.... #1 Why are you disabling the ports on the system? #2 What account is the script running under in the first place? #3 How are you enabling/disabling the rules? #4 What ports are you looking at restricting? #5 Is this AD integrated? I should be able to help if I get more information.

Brenton, Thanks for your response and I will try to explain our environment better. By default, Windows Firewall is configured to block all traffic to and from our front end web servers. When we are promoting code to our production environment, we would like to have the AD service account that executes the code promotion via PowerShell scripts (from a remote build server), block all incoming requests to the web servers. When the code promotion process gets to the point where it needs to place new code on the web servers, we would like to have the service account disable the firewall rules that allow traffic to the servers. If the service account could be given access to just the few specific firewall rules, then it could disable the rules allowing traffic to the servers, and then re-enable the rules again once the process is completed. The hope was to find a way to allow the service account to just disable the few rules needed to block traffic, without giving the account full access to the firewall. Also, this is an AD integrated network and the ports that need to be blocked are TCP 80 and 8082. Thanks!

I'm afraid this isn't possible - if it was an attacker could simply change the rule to allow all traffic anyway, effectively bypassing the firewall entirely. Does this solution need to be 100% automated? Perhaps you can change the script to send an email alert to an Admin, then pause execution until the change is made by a real person who has the appropriate access. Outside of that the service account must have full access to the Windows Firewall to do what you are requiring.

Thanks for the response Neil. We were hoping to keep all Windows Firewall rules limited to only Administrators, but assigned the service account permissions to just the few rules that are needed to block access to the servers. By doing this, this would prevent an attacker from gaining access to the firewall, but allow only the service account to disable/enable a few rules.

JSKoons, Do you use a load balancer of some sort? In a couple of the data center environments that I've worked in, we've leveraged a F5 Load balancer to mitigate the traffic flow by taking the website out of service, upgrade, then putting it back into service. The way we did this is create a file called ".healthy" on the root of the website. This ".healthy" would say the word "OK" and "NOTOK". The F5 load balancer would then look at the ".healthy" and search for only the word "OK". If it was any other word than "OK", it would take the website out of the load balance pool. To upgrade the code -- I would: 1. Have a Powershell Script Modify the ".healthy" file to say "NOTOK" 2. Update your code 3. Perform your UAT testing / validation scripts 4. Update the ".healthy" file to say "OK" 5. Wait until your load balancer puts it back into the pool, then move to the next. ------------------- The above approach is something a lot of organizations are starting to use as it takes the complication out of the upgrades. If you don't have a load balancer, the only other way to architect (in my eyes), is to: 1. Remotely Disable Ports 80 and 8082 via using "netsh" commands. "netsh advfirewall firewall set rule" 2. Upgrade the code 3. Remotely enable Ports 80 and 8082 via using "netsh commands. Thoughts?

JSKoons, Do you use a load balancer of some sort? In a couple of the data center environments that I've worked in, we've leveraged a F5 Load balancer to mitigate the traffic flow by taking the website out of service, upgrade, then putting it back into service. The way we did this is create a file called ".healthy" on the root of the website. This ".healthy" would say the word "OK" and "NOTOK". The F5 load balancer would then look at the ".healthy" and search for only the word "OK". If it was any other word than "OK", it would take the website out of the load balance pool. To upgrade the code -- I would: 1. Have a Powershell Script Modify the ".healthy" file to say "NOTOK" 2. Update your code 3. Perform your UAT testing / validation scripts 4. Update the ".healthy" file to say "OK" 5. Wait until your load balancer puts it back into the pool, then move to the next. ------------------- The above approach is something a lot of organizations are starting to use as it takes the complication out of the upgrades. If you don't have a load balancer, the only other way to architect (in my eyes), is to: 1. Remotely Disable Ports 80 and 8082 via using "netsh" commands. "netsh advfirewall firewall set rule" 2. Upgrade the code 3. Remotely enable Ports 80 and 8082 via using "netsh commands. Thoughts?

Thanks again for your response Brenton, We do use a F5 device to load balance traffic and have health monitoring setup for the hosts. I really appreciate the idea and something that I will definitely look into. Thanks again for the help!