This procedure guides you through the process of using desired configuration management in Configuration Manager 2007 to create a general configuration item with a WQL query setting to determine whether the firewall service is started and set to automatic.

Purpose of the Configuration Item

These configuration items check for a useful security setting that helps to protect computers from unauthorized incoming connections. The WQL query setting used to determine compliance is slightly different on Windows Vista than on Windows XP operating systems, and so both procedures are given as separate configuration items.

Note
If you need to check the firewall settings for both operating systems, configure the first configuration item and then duplicate it. Then modify the duplicate so that it has a unique name, unique description, the correct WQL query, and the correct operating systems specified for applicability.

These configuration items can also be used as a simple test to ensure that desired configuration management is working as expected.

Procedure for Windows Vista

To author a general configuration item to check that the firewall service is started and set to start automatically - on computers running Windows Vista:

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Desired Configuration Management.

  2. Expand the Desired Configuration Management node, right-click Configuration Items, click New, and then click General Configuration Item.

  3. On the Identification page of the Create General Configuration Item Wizard, specify the following:

    • Name: Specify a unique and descriptive name for the configuration item, such as Security Setting for Windows Vista: Windows Firewall Enabled.

    • Description: Specify a description for the configuration item, such as This configuration item determines whether the firewall service is started and set to automatically start on computers running Windows Vista.

    • Click Next twice.

  4. On the Settings page of the Create General Configuration Item Wizard, click New, and then click WQL Query.

  5. In the New WQL Query Settings Properties dialog box, specify the following on the General tab:

    • Display name: Windows Firewall is running

    • Description: Checks if Windows Firewall service is running

    • Namespace: Root\CIMV2

    • Class: Win32_Service

    • Property: Started

    • WQL query WHERE clause: Name="MpsSvc"

  6. Click the Validation tab, and then specify the following:

    • Data Type: String

    • DetailsSt: Click the New icon.

  7. In the Configure Validation dialog box, specify the following:

    • Name: Started=true.

    • Description: Service should be started.

    • Operator: Equals

    • Value: true

    • Severity: Warning

  8. Click OK twice to close the New WQL Query Setting Properties dialog box.

  9. On the Settings page of the Create General Configuration Item Wizard, click New, and then click WQL Query.

  10. In the New WQL Query Settings Properties dialog box, specify the following on the General tab:

    • Display name: Windows Firewall starts automatically

    • Description: Checks if Windows Firewall service starts automatically

    • Namespace: Root\CIMV2

    • Class: Win32_Service

    • Property: StartMode

    • WQL query WHERE clause: Name="MpsSvc"

  11. Click the Validation tab, and then specify the following:

    • Data Type: String

    • Details: Click the New icon.

  12. In the Configure Validation dialog box, specify the following:

    • Name: StartMode=Auto.

    • Description: Service should start automatically.

    • Operator: Equals

    • Value: Auto

    • Severity: Warning

  13. Click OK twice to close the New WQL Query Setting Properties dialog box.

  14. On the Settings page of the Create General Configuration Item Wizard, click Next.

  15. On the Applicability page of the Create General Configuration Item Wizard, specify the following:

    • All x64 Windows Vista

    • All x86 Windows Vista

    • x64 Windows Vista Original Release

    • x86 Vista Original Release

  16. Click Next twice, and close the Wizard Completed page.

Procedure for Windows XP

To author a general configuration item to check that the firewall service is started and set to automatically start - on computers running Windows XP Professional:

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Desired Configuration Management.

  2. Expand the Desired Configuration Management node, right-click Configuration Items, click New, and then click General Configuration Item.

  3. On the Identification page of the Create General Configuration Item Wizard, specify the following:

    • Name: Specify a unique and descriptive name for the configuration item, such as Security Setting for Windows XP: Windows Firewall Enabled.

    • Description: Specify a description for the configuration item, such as This configuration item determines whether the firewall service is started and set to automatically start on computers running Windows XP.

    • Click Next twice.

  4. On the Settings page of the Create General Configuration Item Wizard, click New, and then click WQL Query.

  5. In the New WQL Query Settings Properties dialog box, specify the following on the General tab:

    • Display name: Windows Firewall is running

    • Description: Checks if Windows Firewall service is running

    • Namespace: Root\CIMV2

    • Class: Win32_Service

    • Property: Started

    • WQL query WHERE clause: Name="sharedaccess"

  6. Click the Validation tab, and then specify the following:

    • Data Type: String

    • Details: Click the New icon.

  7. In the Configure Validation dialog box, specify the following:

    • Name: Started=true.

    • Description: Service should be started.

    • Operator: Equals

    • Value: true

    • Severity: Warning

  8. Click OK twice to close the New WQL Query Setting Properties dialog box.

  9. On the Settings page of the Create General Configuration Item Wizard, click New, and then click WQL Query.

  10. In the New WQL Query Settings Properties dialog box, specify the following on the General tab:

    • Display name: Windows Firewall starts automatically

    • Description: Checks if Windows Firewall service starts automatically

    • Namespace: Root\CIMV2

    • Class: Win32_Service

    • Property: StartMode

    • WQL query WHERE clause: Name="sharedaccess"

  11. Click the Validation tab, and then specify the following:

    • Data Type: String

    • Details: Click the New icon.

  12. In the Configure Validation dialog box, specify the following:

    • Name: StartMode=Auto.

    • Description: Service should start automatically.

    • Operator: Equals

    • Value: Auto

    • Severity: Warning

  13. Click OK twice to close the New WQL Query Setting Properties dialog box.

  14. On the Settings page of the Create General Configuration Item Wizard, click Next.

  15. On the Applicability page of the Create General Configuration Item Wizard, specify the following:

    • All x64 Windows XP Professional

    • All x86 Windows XP

    • x64 Windows XP Professional SP1

    • x64 Windows XP Professional SP2

    • x86 Windows XP Professional Service Pack 2

  16. Click Next twice, and close the Wizard Completed page.

Next Steps

Now that you have created these general configuration items, they can be added to a configuration baseline using the following configuration baseline rule:

  • These application and general configuration items are required and must be properly configured

Assign this configuration baseline to Windows Vista and Windows XP Professional computers that should have the Windows Firewall started automatically, and investigate the computers that report noncompliance.

See Also