Setting firewall logging via GPO
Mike Leone
WARNING: TCP connect to (x.x.x.x : 8999) failed
ComputerName : WebServer
RemoteAddress : x.x.x.x
RemotePort : 8999
InterfaceAlias : Ethernet0 2
SourceAddress : x.x.x.x
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False
netsh advfirewall set allprofiles logging maxfilesize 32767
netsh advfirewall set allprofiles logging droppedconnections enable
netsh advfirewall set allprofiles logging allowedconnections enable
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Orlebeck, Geoffrey
For what it’s worth, I ran into a similar issue. While I can’t find the original source article that led me to the solution, it was to put into place two GPOs that adjusted file/folder behavior for Windows Firewall:
The main thing for the file permission below was to ensure the ‘mpssvc’ object is included:
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 08:36
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Setting firewall logging via GPO
ZjQcmQRYFpfptBannerEnd
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgSB2jJrz6VwbAy%3DtsCV-swOPZi%3DXoWSSN_8Q2Ph4LRSQ%40mail.gmail.com.
Mike Leone
Mike Leone
Orlebeck, Geoffrey
Did you enable the logging via GPO, and on the correct network profile (e.g., Domain Profile)?
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 10:01
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Setting firewall logging via GPO
ZjQcmQRYFpfptBannerEnd
I set a GPO with those 2 settings, and the firewall folder itself is created. But no log file is created when I try and connect to a disallowed port ...
So I'm still missing something ...
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgVWyhuSGrJVV%2BoOnX-AAR9mkNh7p%3Dgk81x8PEZK5Qv9Q%40mail.gmail.com.
Luis Elizondo
Mike,
I have logging working in my home lab, and I did not have to mess with file/service permissions. Here are my settings for W11 ( CIS benchmarks):
Excerpt from domainfw.log:
Regards,
Luis Elizondo | Cybersecurity Operations Architect / Security Lead | x4549
“I succeed because I don't wait for certainty. While others are still analyzing, I've already taken risks, learned from my mistakes, and found a better way forward.” – me
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Orlebeck, Geoffrey
Sent: Wednesday, October 30, 2024 12:17 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Setting firewall logging via GPO
ATTENTION: This email originated from outside of the organization. This email is from an external source. Use caution before opening attachments or clicking on links.
Mike Leone
Did you enable the logging via GPO, and on the correct network profile (e.g., Domain Profile)?
Mike Leone
Mike Leone
Michael B. Smith
Are successful connections? Have you rebooted the device?
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 2:57 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Setting firewall logging via GPO
So I go to the client, and look at the firewall settings. And sure enough, they say logging is set. Yet if I go to a blocked port, the log is never updated ...
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BinPa1OVKMKz9R3Wauu6pAfRjjBGY1f%3D35xbhqfh-B07Q%40mail.gmail.com.
Ryker, Jacob - 43
Ran into this exact situation and after opening a ticket with Microsoft they informed us that updated way is to use Audit Filtering Platform Connection and Audit Filtering Platform Packet Drop under Object Access in the Advanced Audit Configuration. Then review the Security logs for events 5130 and 5150-5159.
Warning though, if you enable everything it is extremely noisy, so do test and pair down to what you believe you really want to see.
----
Jacob Ryker
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 1:57 PM
To: ntsys...@googlegroups.com
Subject: [EXTERNAL] Re: [ntsysadmin] Setting firewall logging via GPO
So I go to the client, and look at the firewall settings. And sure enough, they say logging is set. Yet if I go to a blocked port, the log is never updated ...
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BinPa1OVKMKz9R3Wauu6pAfRjjBGY1f%3D35xbhqfh-B07Q%40mail.gmail.com.
This email (including any attachments) is intended for the designated recipient(s) only, and may be confidential, non-public, proprietary, and/or protected by the attorney-client or other privilege. Unauthorized reading, distribution, copying or other use of this communication is prohibited and may be unlawful. Receipt by anyone other than the intended recipient(s) should not be deemed a waiver of any privilege or protection. If you are not the intended recipient or if you believe that you have received this email in error, please notify the sender immediately and delete all copies from your computer system without reading, saving, printing, forwarding or using it in any manner. Although it has been checked for viruses and other malicious software ("malware"), we do not warrant, represent or guarantee in any way that this communication is free of malware or potentially damaging defects. All liability for any actual or alleged loss, damage, or injury arising out of or resulting in any way from the receipt, opening or use of this email is expressly disclaimed.
Mike Leone
Are successful connections?
Have you rebooted the device?
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/7e5b4838a2a74c9bad3c04e6be9882fa%40smithcons.com.
Luis Elizondo
Also verify that you are auditing object access:
Regards,
Luis Elizondo | Cybersecurity Operations Architect / Security Lead | x4549
“I succeed because I don't wait for certainty. While others are still analyzing, I've already taken risks, learned from my mistakes, and found a better way forward.” – me
Miller Bonnie L.
FYI, I’ve only ever needed to manually update the permissions on domain controllers or machines that have had dcpromo run on them at some point in time (or some other default permission change). After updating the permissions I’ve found it does take a restart though before the logging starts to work, you may not be able to avoid doing that if it’s the only thing missing.
Other thoughts:
Try RSOP or gpresult and see if the settings you think are applying are actually active
Verify the domain profile is actually the active profile on the NIC
Check your %systemroot% variable on that system and/or try an explicit path
-Bonnie
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 11:57 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Setting firewall logging via GPO
***EXTERNAL: This message is not from Mukilteo School District. Use caution responding to or opening attachments and links in this email.***
So I go to the client, and look at the firewall settings. And sure enough, they say logging is set. Yet if I go to a blocked port, the log is never updated ...
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BinPa1OVKMKz9R3Wauu6pAfRjjBGY1f%3D35xbhqfh-B07Q%40mail.gmail.com.
Mike Leone
Mike Leone
Also verify that you are auditing object access:
Philip Elder
I suggest a test OU and a test VM or two for this first:
The GPO in question must enable the firewall for all three profiles. We also set Alert for new Protocol to YES and Logging to YES.
That’s it. We _always_ get logs in the usual place.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 09:36
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Setting firewall logging via GPO
I'm having a problem enabling firewall logging via GPO. I set it
--
Philip Elder
Yup. Saw this after hitting SEND on my reply.
GPO should set ENABLED to all three profiles, Pop-Ups to YES, and Logging to YES for all three profiles.
There is no reason to disable the firewall _ever_ when logging is enabled.
Plus, the firewall is too integrated into the network stack so when set to DISABLED it actually goes into a form of LIMP MODE. That breaks things big time and can cause all manner of mysterious behaviours.
ON, Pop-Ups, and Logging. That’s the recipe for success when troubleshooting packet loss.
Netstat -AN is a close second. 😊
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, October 30, 2024 13:39
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Setting firewall logging via GPO
UPDATE!
So I went back to the policy (actually, policies - there are 2, 1 for the APP servers, a different one for WEB servers). I enabled logging on ALL the profiles, not just the domain one,
And lookie there ...
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bjh5EM0dgtg_A5%2BM6aR2STjXE5WHorYabss9iCxmtTvuw%40mail.gmail.com.
Mike Leone
I suggest a test OU and a test VM or two for this first:
The GPO in question must enable the firewall for all three profiles. We also set Alert for new Protocol to YES and Logging to YES.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/b69040321c84472fb76a600ca48a7cf2%40MPECSInc.Ca.