The Windows Firewall is controlled using the netsh command along with the advfirewall option. This command is pretty easy to use, although knowing the syntax helps. The most basic thing you do is enable the firewall, done by issuing a set verb along with a profile (in this case we’ll use current profile) and then setting the state to on, as follows:
netsh advfirewall set currentprofile state on
Or if you were controlling the domain profile:
netsh advfirewall set domainprofile state on
You can also choose to set other options within a profile. So to set the firewall policy to always block inbound traffic and allow outgoing traffic, use the set currentprofile followed by firewallpolicy as the option to set and then blockinboundalways and allowoutbound delimited with a comma:
netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
To restore information back to defaults, use the reset verb:
netsh advfirewall reset
To open incoming access to just the file and printer sharing services:
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
Or remote desktop connections:
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
Because the Windows Firewall can be stageful, you can also allow a program to have access (in or out), as with the following app called SecureApp.exe:
netsh advfirewall firewall add rule name="Secure App" dir=in action=allow program="C:\Program Files\SecureApp.exe" enable=yes
Or to restrict that app:
netsh advfirewall firewall add rule name="Secure App" dir=in action=deny program="C:\Program Files\SecureApp.exe" enable=yes
You can also allow based on IP or range of IP by adding the remoteip variable:
netsh advfirewall firewall add rule name="Secure App" dir=in action=allow program="C:\Program Files\SecureApp.exe" enable=yes remoteip=206.13.28.12,LocalSubnet profile=domain
Or to open a specific port:
netsh advfirewall firewall add rule name="Open SSL" dir=in action=allow protocol=TCP localport=443
Overall, the netsh advfirewall command is pretty easy to use and allows for a lot of programatic control of the Windows Firewall without having to learn a lot of complex scripting. And of course, to disable, feel free to just turn that on to an off from the initial command:
netsh advfirewall set currentprofile state off