none
Is this a Permission-Bug in Windows Firewall Logging? RRS feed

  • Question

  • #Windows Firewall Log BUG

    Situation:
    New Installed Server With 2016 Standard. Patched and up2date with June-2019 CU.
    Created a new Domain with itself beeing the first domaincontroler. Created a GPO to activate Windows Firewall and enable Logging of DROP and ALLOW to pfirewall-domain.log in the default-path.

    What happens?
    The Log can´t be written, no access denied. Sysinternals Procmon shows no "Access Denied". Shows a few creates but does not write.

    How do the Permissions on the Filesystem look like?

    Get-ACL After Plain OS Installation & also after CU instalaltion:
    c:\Windows\System32\LogFiles\Firewall
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Network Configuration Operators
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT SERVICE\MpsSvc
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    


    After Configuring Domaincontroller:
    c:\Windows\System32\LogFiles\Firewall

    FileSystemRights  : ReadAndExecute, Synchronize
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\Authenticated Users
    IsInherited       : True
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : -1610612736
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\Authenticated Users
    IsInherited       : True
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    
    FileSystemRights  : ReadAndExecute, Synchronize
    AccessControlType : Allow
    IdentityReference : BUILTIN\Server Operators
    IsInherited       : True
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : -1610612736
    AccessControlType : Allow
    IdentityReference : BUILTIN\Server Operators
    IsInherited       : True
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : True
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : 268435456
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : True
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited       : True
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : 268435456
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited       : True
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    
    FileSystemRights  : 268435456
    AccessControlType : Allow
    IdentityReference : CREATOR OWNER
    IsInherited       : True
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    

    Created the GPO and applied it, even rebooted.No Log-File was created, so i opened the Firewall and took a look. And right when i opened the Logfile showed up, but only the Header was written. Nothing more.

    The ACLs on pfirewall-domain.log file.

    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Network Configuration Operators
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT SERVICE\MpsSvc
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    




    So i took a look with procmon
    svchost.exe tries to createFile, but throws no error:
    21:19:57,9985237    svchost.exe    1640    QueryOpen    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    FAST IO DISALLOWED        NT AUTHORITY\LOCAL SERVICE
    21:19:57,9986597    svchost.exe    1640    CreateFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987095    svchost.exe    1640    QueryBasicInformationFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    CreationTime: 19.06.2019 20:50:30, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:05:59, FileAttributes: A    NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987315    svchost.exe    1640    CloseFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS        NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987626    svchost.exe    1640    IRP_MJ_CLOSE    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS        NT AUTHORITY\LOCAL SERVICE
    21:19:57,9989181    svchost.exe    1640    QueryOpen    C:\Windows\System32\LogFiles\Firewall    FAST IO DISALLOWED        NT AUTHORITY\LOCAL SERVICE
    21:19:57,9990346    svchost.exe    1640    CreateFile    C:\Windows\System32\LogFiles\Firewall    SUCCESS    Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    NT AUTHORITY\LOCAL SERVICE
    21:19:57,9990746    svchost.exe    1640    QueryBasicInformationFile    C:\Windows\System32\LogFiles\Firewall    SUCCESS    CreationTime: 16.07.2016 15:23:22, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:18:38, FileAttributes: D    NT AUTHORITY\LOCAL SERVICE
    21:19:57,9992285    svchost.exe    1640    CloseFile    C:\Windows\System32\LogFiles\Firewall    SUCCESS        NT AUTHORITY\LOCAL SERVICE
    21:19:57,9992520    svchost.exe    1640    IRP_MJ_CLOSE    C:\Windows\System32\LogFiles\Firewall    SUCCESS        NT AUTHORITY\LOCAL SERVICE


    The File was visible in Explorer, but empty except the header. Rebooting and reapplying the policy didn´t work.

    Now i did something i usually wouldn´t do. I added "Authenticated Users" wit Full Permissions.

    And then it instantly started logging:
    21:21:16,7661387    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 2.831, Length: 114, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:16,7663507    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 2.945, Length: 722, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:18,2505349    System    4    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal    NT AUTHORITY\SYSTEM
    21:21:18,2515695    System    4    SetEndOfFileInformationFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    EndOfFile: 3.667    NT AUTHORITY\SYSTEM
    21:21:26,5941882    System    4    FASTIO_ACQUIRE_FOR_CC_FLUSH    C:\Windows\System32\LogFiles\Firewall    SUCCESS        NT AUTHORITY\SYSTEM
    21:21:26,5942149    System    4    WriteFile    C:\Windows\System32\LogFiles\Firewall    SUCCESS    Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal    NT AUTHORITY\SYSTEM
    21:21:26,5951630    System    4    FASTIO_RELEASE_FOR_CC_FLUSH    C:\Windows\System32\LogFiles\Firewall    SUCCESS        NT AUTHORITY\SYSTEM
    21:21:29,8911002    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 3.667, Length: 69, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8913203    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 3.736, Length: 913, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8916986    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 4.649, Length: 81, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8919285    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 4.730, Length: 612, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8921255    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 5.342, Length: 84, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8923141    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 5.426, Length: 963, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8927561    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 6.389, Length: 72, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8928512    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 6.461, Length: 222, Priority: Normal    NT AUTHORITY\LOCAL SERVICE
    21:21:29,8930073    svchost.exe    1640    WriteFile    C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log    SUCCESS    Offset: 6.683, Length: 84, Priority: Normal    NT AUTHORITY\LOCAL SERVICE

    And yeah I reproduced it 3 times.
    I wonder if that´s a Bug...
    Wednesday, June 19, 2019 8:00 PM

All replies