Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, June 19, 2019 8:00 PM
#Windows Firewall Log BUG
Situation:
New Installed Server With 2016 Standard. Patched and up2date with June-2019 CU.
Created a new Domain with itself beeing the first domaincontroler. Created a GPO to activate Windows Firewall and enable Logging of DROP and ALLOW to pfirewall-domain.log in the default-path.
What happens?
The Log can´t be written, no access denied. Sysinternals Procmon shows no "Access Denied". Shows a few creates but does not write.
How do the Permissions on the Filesystem look like?
Get-ACL After Plain OS Installation & also after CU instalaltion:
c:\Windows\System32\LogFiles\Firewall
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Network Configuration Operators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT SERVICE\MpsSvc
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
After Configuring Domaincontroller:
c:\Windows\System32\LogFiles\Firewall
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : -1610612736
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Server Operators
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : -1610612736
AccessControlType : Allow
IdentityReference : BUILTIN\Server Operators
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : 268435456
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : 268435456
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : 268435456
AccessControlType : Allow
IdentityReference : CREATOR OWNER
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
Created the GPO and applied it, even rebooted.No Log-File was created, so i opened the Firewall and took a look. And right when i opened the Logfile showed up, but only the Header was written. Nothing more.
The ACLs on pfirewall-domain.log file.
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Network Configuration Operators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT SERVICE\MpsSvc
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
So i took a look with procmon
svchost.exe tries to createFile, but throws no error:
21:19:57,9985237 svchost.exe 1640 QueryOpen C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log FAST IO DISALLOWED NT AUTHORITY\LOCAL SERVICE
21:19:57,9986597 svchost.exe 1640 CreateFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\LOCAL SERVICE
21:19:57,9987095 svchost.exe 1640 QueryBasicInformationFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS CreationTime: 19.06.2019 20:50:30, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:05:59, FileAttributes: A NT AUTHORITY\LOCAL SERVICE
21:19:57,9987315 svchost.exe 1640 CloseFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS NT AUTHORITY\LOCAL SERVICE
21:19:57,9987626 svchost.exe 1640 IRP_MJ_CLOSE C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS NT AUTHORITY\LOCAL SERVICE
21:19:57,9989181 svchost.exe 1640 QueryOpen C:\Windows\System32\LogFiles\Firewall FAST IO DISALLOWED NT AUTHORITY\LOCAL SERVICE
21:19:57,9990346 svchost.exe 1640 CreateFile C:\Windows\System32\LogFiles\Firewall SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\LOCAL SERVICE
21:19:57,9990746 svchost.exe 1640 QueryBasicInformationFile C:\Windows\System32\LogFiles\Firewall SUCCESS CreationTime: 16.07.2016 15:23:22, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:18:38, FileAttributes: D NT AUTHORITY\LOCAL SERVICE
21:19:57,9992285 svchost.exe 1640 CloseFile C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\LOCAL SERVICE
21:19:57,9992520 svchost.exe 1640 IRP_MJ_CLOSE C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\LOCAL SERVICE
The File was visible in Explorer, but empty except the header. Rebooting and reapplying the policy didn´t work.
Now i did something i usually wouldn´t do. I added "Authenticated Users" wit Full Permissions.
And then it instantly started logging:
21:21:16,7661387 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 2.831, Length: 114, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:16,7663507 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 2.945, Length: 722, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:18,2505349 System 4 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal NT AUTHORITY\SYSTEM
21:21:18,2515695 System 4 SetEndOfFileInformationFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS EndOfFile: 3.667 NT AUTHORITY\SYSTEM
21:21:26,5941882 System 4 FASTIO_ACQUIRE_FOR_CC_FLUSH C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\SYSTEM
21:21:26,5942149 System 4 WriteFile C:\Windows\System32\LogFiles\Firewall SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal NT AUTHORITY\SYSTEM
21:21:26,5951630 System 4 FASTIO_RELEASE_FOR_CC_FLUSH C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\SYSTEM
21:21:29,8911002 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 3.667, Length: 69, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8913203 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 3.736, Length: 913, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8916986 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 4.649, Length: 81, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8919285 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 4.730, Length: 612, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8921255 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 5.342, Length: 84, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8923141 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 5.426, Length: 963, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8927561 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.389, Length: 72, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8928512 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.461, Length: 222, Priority: Normal NT AUTHORITY\LOCAL SERVICE
21:21:29,8930073 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.683, Length: 84, Priority: Normal NT AUTHORITY\LOCAL SERVICE
And yeah I reproduced it 3 times.
I wonder if that´s a Bug...
All replies (6)
Wednesday, June 19, 2019 8:41 PM
Also i only reproduced it on Domain Controllers
Thursday, June 20, 2019 7:18 AM
Hi,
Please check the steps of configure the Windows Defender Firewall with Advanced Security log:
We could submit this issue in the following general feedback for windows server and I am going to submit this case to Microsoft via our channel.
https://windowsserver.uservoice.com/forums/295047-general-feedback
Thanks for your understanding.
Best regards,
Yilia
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, June 20, 2019 10:42 AM
Hi,
the only thing I changed via GPO is the name to pfirewall-domain.log and the size to 40 MB. Everything is the same. And I also got it working by adding Permissions. I just think that should´ve worked by default like it does on Standalone or Member Servers.
I will copy-paste it to the uservoice.(In feedbackhub nothing happened).
Thanks!
Thursday, June 20, 2019 10:48 AM
We could submit this issue in the following general feedback for windows server and I am going to submit this case to Microsoft via our channel.
https://windowsserver.uservoice.com/forums/295047-general-feedback
Wednesday, June 26, 2019 7:48 AM
MS Partner Support vonfirmed the issue, but currently we got no more infos
Thursday, June 27, 2019 8:53 AM
Hi,
Sorry for thr inconvenience.
It's recommended to keep installing the latest updates in case the issue will fixed in the next updates.
If there is any information about this issue from Mirosoft, I will post here ASAP.
Thanks for your understanding.
Best regards,
Yilia
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].