How to Disable the Guest OS Firewall of an Azure VM (ARM)

Mitigation 1: Custom Script Extension

1. Open up a Blank Notepad and paste the following into it:

Set-ItemProperty -Path ‘HKLM:SYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyDomainProfile’ -name “EnableFirewall” -Value 0

Set-ItemProperty -Path ‘HKLM:SYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyPublicProfile’ -name “EnableFirewall” -Value 0

Set-ItemProperty -Path ‘HKLM:SYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardprofile’ -name “EnableFirewall” -Value 0

2. Save the file as disablefirewall.ps1
3. Navigate to the Azure Portal
4. Select the impacted VM
5. Select extensions
   

6. Select Add
7. Select Custom Script Extension
   

8. Select Create
9. Select the disablefirewall.ps1 created in the previous steps
10. Install the .ps1 file. No arguments are needed.
    

11. Go back to the extensions tab and wait for the Custom Script to report as successful
12. Attempt to RDP to the machine. If it fails, restart the VM and attempt to RDP to it again.

Mitigation 2: Remote Registry

1. Login to another virtual machine located in the same Vnet as the impacted machine
2. Open up Regedit
3. Select File -> Connect Remote Registry
4. Input the internal IP address of the impacted machine and select Check Names
   
   
5. If the machine is found select OK and connect to the Registry
6. Once connected navigate to HKEY_LOCAL_MACHINESYSTEMControlSet001SharedAccessParametersFirewallPolicy
7. Change Domain ProfileEnableFirewall from 1 to 0
8. Change Public ProfileEnableFirewall from 1 to 0
9. Change Standard ProfileEnableFirewall from 1 to 0
10. Disconnect from Remote Registry
11. Try to RDP to the virtual machine
12. If it fails restart the VM and try again 

Mitigation 3: Manual Registry Changes

1. If Azure PowerShell is not installed, please install it from http://azure.microsoft.com/en-us/downloads/

2. Delete the VM.

3. Wait about 3 mins for the disk lease to expire

4. Under the Virtual Machines section select a working VM in the same Resource Group (Or create one) where the impacted VM was. Go to Virtual Machines -> Select the VM you want to use -> Disks -> Add Data Disk -> Change the source type to “Existing Blob” -> Browse ->  Navigate to the location of the VHD you want to attach -> Select OK -> Select Save.  

5. Now that we have the OS disk of the affected VM attached to the recovery machine RDP into the recovery VM

6. Navigate to Disk management and ensure that the disk is attached and online. If it is not make sure to right click and select “Online”

7. In the windows explorer navigate to ATTACHED_DRIVE:WindowsSystem32config and copy the entire config file onto the desktop so there is a backup copy if needed.

8. Open regedit

9. Highlight the key HKEY_LOCAL_MACHINE and select File -> Load Hive from the menu

10. Browse up to the file windowssystem32configSYSTEM of the attached affected VM. Not the C drive of the machine you are currently connected to.
11. When hit open its going to ask for a name, put BROKENSYSTEM and then just unfold HKEY_LOCAL_MACHINE and you’ll have an extra key called BROKENSYSTEM

12. Make the following changes to disable the firewall

    HKLM:SYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyDomainProfileEnableFirewall            From 1 to 0

    HKLM:SYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyPublicProfileEnableFirewall               From 1 to 0

    HKLM:SYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardprofileEnableFirewall         From 1 to 0

13. Highlight HKEY_LOCAL_MACHINEBROKENSYSTEM and select File -> Unload Hive

14. Detach the disk from the troubleshooting VM in the Azure Portal

15. Now we need to recreate the original VM

16. Open up PowerShell ISE as an administrator

17. Modify the highlighted portions below and run in PowerShell:

    # To login to Azure Resource Manager
    Login-AzureRmAccount

    # To view all subscriptions for your account
    Get-AzureRmSubscription

    # To select a default subscription for your current session
    Get-AzureRmSubscription –SubscriptionID ‘SUBSCRIPTIONID‘ | Select-AzureRmSubscription

    $rgname = “RESOURCEGROUPNAME”
    $loc = “LOCATION”
    $vmsize = “VMSIZE”
    $vmname = “VMNAME”
    $vm = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;
    $nic = Get-AzureRmNetworkInterface -Name (“NETWORKINTERFACENAME“) -ResourceGroupName $rgname;
    $nicId = $nic.Id;
    $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nicId;
    $osDiskName = “OS DISK NAME”
    $osDiskVhdUri = “OS DISK URI”
    $vm = Set-AzureRmVMOSDisk -VM $vm -VhdUri $osDiskVhdUri -name $osDiskName -CreateOption attach -Windows

    New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $vm -Verbose

18. Let the script finish running and go back to the Azure Portal

19. You should see the recreated VM now

20. Attempt to RDP to the VM