Listing 1: Firewall Audit Report.vbs WScript.Echo VbCrLf & "Firewall Audit Report" & VbCrLf & String(21, "=") & VbCrLf ' Determine which profile the user wants to audit. If WScript.Arguments.Count = 0 Then iType=2 Else Select Case LCase(WScript.Arguments(1)) Case "domain" iType=0 Case "standard" iType=1 Case "current" iType=2 Case Else WScript.Echo "Usage: fwAudit.vbs [standard|domain|current]" Stop End Select End If ' BEGIN CALLOUT A ' Create the local policy object. Set objPol = CreateObject("HNetCfg.FwMgr").LocalPolicy.GetProfileByType(iType) ' Determine the type from the policy object to display on the report ' so that if user specifies "Current," we can show what type it is. Select Case objPol.Type Case 0 sType = "Domain Policy" Case 1 sType = "Standard Policy" Case Else sType = "Other (" & objPol.Type & ")" End Select ' Show the global settings of the current profile. WScript.Echo "Global Settings:" WScript.Echo GetCheck(objPol.FirewallEnabled) & "Firewall enabled" WScript.Echo GetCheck(objPol.ExceptionsNotAllowed) & "Don't allow exceptions" WScript.Echo GetCheck(Not objPol.NotificationsDisabled) & "Notficiations" & VbCrLf ' END CALLOUT A ' BEGIN CALLOUT B ' List all network interfaces and show their firewall-enabled status. WScript.Echo "Per-interface settings:" Set objNSh = Wscript.CreateObject("HNetCfg.HNetShare.1") For Each objNetConn In objNSh.EnumEveryConnection Set objNShCfg = objNSh.INetSharingConfigurationForINetConnection(objNetConn) Set objNCProps = objNSh.NetConnectionProps(objNetConn) Wscript.echo GetCheck(objNShCfg.InternetFirewallEnabled) & "" & _ objNCProps.Name & " - " & _ objNCProps.DeviceName Next ' END CALLOUT B ' BEGIN CALLOUT C ' Create a table header for the firewall exceptions. WScript.Echo VbCrLf & VbCrLf & "Exceptions" & VbCrLf & String(10, "=") & VbCrLf WScript.Echo " X Name" & Space(30) & "Ports" & Space(6) & "Scope" WScript.Echo String(79, "-") ' List all service exceptions. For Each objService In objPol.Services sLine = GetCheck(objPol.FirewallEnabled)& "" & _ FormatColumn(objService.Name , 34) ' Determine which ports a service uses. For Each oPort in objService.GloballyOpenPorts sLine = sLine & _ FormatColumn(GetProtocol(oPort.Protocol) & " " & oPort.Port, 11) & _ FormatColumn(GetScope(oPort), 22) & VbCrLf & Space(38) Next sLine=Trim(sLine) WScript.Echo Left(sLine, Len(sLine)-1) Next ' List all application exceptions. Set objFS = CreateObject("Scripting.FileSystemObject") For Each objApp In objPol.AuthorizedApplications sLine = GetCheck(objApp.Enabled)& "" If objFS.FileExists(objApp.ProcessImageFileName) Then sLine = sLine & FormatColumn(objApp.Name, 34) Else sLine = sLine & FormatColumn(objApp.Name & " ** Missing **", 34) End If ' Applications will allow all ports, so we need to set only the scope. sLine = sLine & FormatColumn("Any", 11) & GetScope(objApp) WScript.Echo sLine Next ' List all port exceptions. For Each oPort in objPol.GloballyOpenPorts sLine = GetCheck(oPort.Enabled)& "" & _ FormatColumn(oPort.Name , 34) sLine = sLine & FormatColumn(GetProtocol(oPort.Protocol) & " " & oPort.Port, 11) & _ FormatColumn(GetScope(oPort), 22) WScript.Echo sLine Next ' END CALLOUT C ' BEGIN CALLOUT D ' Show any interface-specific port mappings. WScript.Echo VbCrLf & VbCrLf & "Interface-Specific Port Mappings" & VbCrLf & String(32, "=") & VbCrLf Set objNSh = Wscript.CreateObject("HNetCfg.HNetShare.1") For Each objNetConn In objNSh.EnumEveryConnection Set objNShCfg = objNSh.INetSharingConfigurationForINetConnection(objNetConn) Set objNCProps = objNSh.NetConnectionProps(objNetConn) Set colPortMaps = objNShCfg.EnumPortMappings(0) ' Check to see whether this interface has any port mappings enabled so that we ' don't need to list the interface if it has none. iPortMapCount = 0 For Each objPortMap in colPortMaps If objPortMap.Properties.Enabled = True Then iPortMapCount = iPortMapCount + 1 Next ' List any port mappings for this interface. If iPortMapCount > 0 Then WSCript.Echo VbCrLf & objNCProps.Name & " - " & objNCProps.DeviceName & VbCrLf WScript.Echo "Name" & Space(17) & "External Port" & Space(8) & "Internal Port" & Space(4) & "Internal IP Address" WScript.Echo String(79,"-") Set colPortMaps = objNShCfg.EnumPortMappings(0) For Each objPortMap in colPortMaps If objPortMap.Properties.Enabled = True Then If objPortMap.Properties.IPProtocol=6 Then sProto="TCP" Else sProto="UDP" End If WScript.Echo FormatColumn(objPortMap.Properties.Name, 21) & _ FormatColumn(GetProtocol(objPortMap.Properties.IPProtocol) & _ " Port " & objPortMap.Properties.ExternalPort, 21) & _ FormatColumn(objPortMap.Properties.InternalPort, 17) & _ FormatColumn(objPortMap.Properties.TargetIPAddress, 20) End If Next End If Next ' END CALLOUT D ' Translate the protocol number to a string. Function GetProtocol(Protocol) Select Case Protocol Case 6 GetProtocol = "TCP" Case 17 GetProtocol = "UDP" Case Else GetProtocol = "Other" End Select End Function ' Format the scope output string. Function GetScope(oPort) Select Case oPort.Scope Case 0 GetScope = "Any computer" Case 1 GetScope = "Local subnet" Case 2 GetScope = oPort.RemoteAddresses End Select End Function ' Format text to fit within a specifc column width. Function FormatColumn(sText, iLength) If Len(sText) >= iLength Then FormatColumn = Left(sText, iLength - 1) & " " Else FormatColumn = sText & Space(iLength - Len(sText)) End If End Function ' Function to convert a boolean value into a check box. Function GetCheck(Condition) GetCheck = "[" + Chr(-(56 * Condition) + 32) + "] " End Function