Windows 2008 R2 Std SP1 - firewall reports packets dropped... RRS feed

  • Question

  • Hi,

    1) I'm trying to harden the Windows firewall on standalone (non AD) Windows 2008 R2 Std SP1 server, and restrict outgoing packets to known rules. What I'm seeing is firewall log entries showing dropped packets, and the dropped packets are always zero length. e.g. I configured a rule to allow Windows Service Host svchost.exe to reach out to MS for MS Security Essentials Updates, and it is able to check for and download updates - but what I see are dropped zero length packets for the target IP addresses that I have allowed in the rule. I see other packets too, for other application targets, for which new rules allow the application to work - but again I see dropped zero length packets. Is there a feature that I can disable to allow the zero length packets out?

    2) Also, I've enabled firewall logging to a file, but I see a mis-match between what appears in the \Windows\System32\LogFiles\Firewall\*.log files versus the event ID 5152 entries in the Security event log - I mean, sometimes I see corresponding matching entries - most of the time I don't - it's as if some of the notifications re dropped packets make it to the firewall log file, and some make to the event log, and some make it to both.  Is this just a-typical and that's just the way it is?

    Thanks.  Dave.

    Friday, August 15, 2014 3:13 PM