3. Modifying a Setting
You can programmatically change the Windows Firewall
settings. The Remote Administration example shows how to enable and
disable the Remote Administration feature of the Windows Firewall, but
the same principles hold true for any setting you want to change.
The example begins with a Windows Forms application. Add a button to change the setting (btnChange).
The caption on this button actually changes to show the state of the
feature — Enable when the Remote Administration feature is turned off
and Disable when the Remote Administration feature is turned on.
Example 4. Defining the Remote Administration example global variables
// Create the firewall type.
Type FWManagerType = Type.GetTypeFromProgID("HNetCfg.FwMgr");
// Define a firewall manager object.
dynamic FWManager;
// Define a Remote Administration object.
dynamic RASettings;
// Scope
const Int32 NET_FW_SCOPE_ALL = 0;
const Int32 NET_FW_SCOPE_LOCAL_SUBNET = 1;
public frmMain()
{
InitializeComponent();
// Create the firewall manager.
FWManager = Activator.CreateInstance(FWManagerType);
// Get the Remote Administration settings.
RASettings = FWManager.LocalPolicy.CurrentProfile.RemoteAdminSettings;
// Check the Remote Administration status.
CheckStatus();
}
private void CheckStatus()
{
// Set the btnChange caption as needed.
if ((Boolean)RASettings.Enabled)
btnChange.Text = "&Disable";
else
btnChange.Text = "&Enable";
}
|
The global variables will require initialization as shown in the frmMain()
constructor. In addition, you need to check the status of the Remote
Administration feature to ensure the button has the correct caption on
it.
As previously mentioned, this example uses a toggle for btnChange. The CheckStatus() method detects the current Remote Administration feature state and sets btnChange accordingly.
Changing the setting is relatively easy, but you need to follow a few rules when doing it. Listing 5 shows the code used to change the Remote Administration setting.
Example 5. Modifying the Remote Administration setting
private void btnChange_Click(object sender, EventArgs e)
{
// Set the Remote Administration settings as needed.
if ((Boolean)RASettings.Enabled)
{
// Turn Remote Administration off.
RASettings.Enabled = false;
}
else
{
// Set the Remote Administration to a specific address.
RASettings.RemoteAddresses = "12.1.1.64/255.255.255.240";
// Set the Remote Administration to a scope that includes
// all addresses within the scope.
//RASettings.Scope = NET_FW_SCOPE_ALL;
// Turn Remote Administration on.
RASettings.Enabled = true;
}
// Check the status.
CheckStatus();
}
|
The code begins by verifying the current Remote
Administration setting. This is an important check because someone
could have modified the setting externally. When you need to turn
Remote Administration off, it's only necessary to set the Enabled property to false.
You can take several approaches when turning Remote
Administration on. The default technique for the example is to supply a
specific address for the RemoteAddresses. In this case, the example uses an IPv4 address of 12.1.1.64 and a mask of 255.255.255.240. (If you want to allow multiple IP addresses, then separate them using commas.) Windows Firewall will automatically set the Scope property to a custom scope in this case. It's also possible to specify a Scope property value such as NET_FW_SCOPE_ALL. In this case, Windows Firewall automatically sets the RemoteAddresses property value to *. In either case, the code must set the Enabled property to true to turn the Remote Administration feature on. The code ends by changing the btnChange caption to match the current Remote Administration state.
At this point, you're probably wondering precisely
how this change affects the Windows Firewall settings you can see in
the Control Panel. Open the Windows Firewall applet in the Control
Panel and click the Advanced Settings link. You'll see a Windows
Firewall with Advanced Security window. Select the Windows Firewall with Advanced Security\Monitoring\Firewall folder, and you'll see three new entries for Remote Administration as shown in Figure 3.
The single change made by the application produces
all three entries. If you double-click one of these entries, such as
Remote Administration (NP-In), you'll see that the entry does in fact
use the IPv4 address specified by the application, as shown in Figure 4.
Unfortunately, you don't have individual
control over each of the entries. For example, you can't choose to
include just Named Pipes (NP) as a potential avenue for making Windows
Firewall changes from a remote location — you must accept both NP and
Remote Procedure Call (RPC)/Transmission Control Protocol (TCP) as
conduits. In addition, you can't set the protocols individually; a
single change modifies all three protocol entries. Despite these
limitations, you still have programmatic control over the entry
configuration. If you want better control over the entries, then you
must use the entries in the Windows Firewall with Advanced Security\Inbound Rules folder to make the change.
