I’m going to access the web now…

More experimentation with Managed C++ I mean C++/CLI and running in to an old friend: The Windows Firewall. My code wants to access the Internet, and Windows – properly – wants the user to approve this random piece of code doing that. It’s doing the right thing.

But the problem is until the user clicks approve, my application can’t access the Internet. I wouldn’t mind if it just sat there and waited. But that’s not what happens.

firewall1

firewall2

The thing is – I see countless applications demonstrate this behavior, it seems to be “tolerated sloppiness”. You just know you have to restart the application, right? And good behavior is supposed to be that you make sure the permission is granted during installation.

But surely such ready access to the Firewall rules just defeats the purpose of them? I mean, most trojans today add themselves to the firewall permission list and the user is never aware of them. As a result – users generally only get to have to approve legitimate software or turn the feature off entirely.

There must be some mechanism for requesting approval?

Some mechanism for saying “Hey Firewall, Willst thou grant me connection upon port 80 outward towards yonder resource? And I’ll wait while you figure it out”.

It’s not the “WebPermission” system Microsoft offers – which I really don’t understand the point of – because when I query it for the URL I’m about to access, it tells me I have permission, and then throws up the above dialog when I actually try to access it. UGH!

Caution: Sloppy code ahead (bits of cut & paste from MSDN)

String^ urlToUse = L”http://www.atdot.dotat.org/”;
try
    {
        WebPermission^ grant = gcnew WebPermission() ;
        grant->AddPermission(NetworkAccess::Connect, urlToUse) ;
        grant->Demand() ;

        System::Collections::IEnumerator^ myConnectEnum = grant->ConnectList;
        Console::WriteLine( “\nThe ‘URIs’ with ‘Connect’ permission are :\n” );
        while ( myConnectEnum->MoveNext() )
        {
            String^ url = myConnectEnum->Current->ToString() ;
            Console::WriteLine( “\t{0}”, url );
        }

        System::Net::HttpWebRequest^ request = dynamic_cast(WebRequest::Create(urlToUse)) ;
        System::Net::WebResponse^ response = request->GetResponse() ;
        int i = 1 ;
    }
    catch ( Exception^ ex )
    {
        int i = 1 ;
    }

Running the code through … the WebPermission stuff tells us “http://www.atdot.dotat.org/” is accessible, but then fires up the Firewall alert a moment later when we ask to actually access it.

Maybe I’m being over generous to Microsoft here – but I’m assuming there has to be a way to do this… I want to know if I have permission to access the resources rather than getting back an error saying they were unavailable. UGH!

9 Comments

Hi kfsone! I don’t know if you will remember me but you and I were once squad mates in the “Red Raiders”, I went by the call sign “seesaw”. I was just surfing about tonight and I ran across a mention of the Red Raiders and well I eventually ran across this page of yours. Hope you and yours are well.

Rumors have it the ‘Block now, then open, then block again, then ask me’ option is being added in the next update.

You should move that white box to the right down closer to the OK button, so if there was a list in that box it would be easier for someone to select it then click ok.

Then you could put a picture in the blank space…..a winning idea.

You should move that white box to the right down closer to the OK button, so if there was a list in that box it would be easier for someone to select it then click ok.

Then you could put a picture in the blank space…..a winning idea.

Teh fail – the white box is an image. Take a second to review the thread and then you get one guess why it’s blank ;-P

ohhh – actual irony! how rare.

Add the firewall policy yourself, before launch…

http://msdn.microsoft.com/en-us/library/bb736280(VS.85).aspx

It will request you the Administrator privileges, but that’s correct.

Umm… i just forgot one important tip…

May be you will need to point the correct path to the aplication to open the firewall adding a rule, and your build must work in any Windows version from XP to Windows 7, for several languages… english, spanish, chinense, etc.

The best practice is to retrieve the correct system path from those HexCodes:

http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_higv.mspx?mfr=true

I’m a system admin with a lot of scripting sperience and in my Hospital i have lots of diferent operating systems from many languages… and i can asure you that this method works even in Windows 7 :)

Thanks, Cid: The working example pertains to Windows Firewall, not a generic firewall methodology, and the technet thing applies to Windows 2000 Script Hosting. Unfortunately Windows Firewall sounds generic but it is actually the name of a (built-in) product.

Fortunately the new Installer actually adds the rules we need.

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

%d bloggers like this: