none
Windows Server 2008 R2 Firewall Logging RRS feed

  • Question

  • Hi All

    I've followed the instructions on how to setup Windows Firewall logging contained in the following knowledge base article but the log file remains empty.

    http://technet.microsoft.com/en-us/library/cc947815(v=ws.10).aspx

    As the server is the domain controller, I've added the GPO configuration under the \My Domain\Group Policy Objects\Default Domain Controllers Policy\.

    I have left the location of the log file as %systemroot%\system32\logfiles\firewall\pfirewall.log so as the Windows Firewall service is using the "Local Services" account I assume I should not be getting any problems with permissions to writing to the file.

    The following is the section in the GPO showing the current settings:-

    Domain Profile
    Settings
    Policy Setting
    Firewall state Not Configured
    Inbound connections Not Configured
    Outbound connections Not Configured
    Apply local firewall rules Not Configured
    Apply local connection security rules Not Configured
    Display notifications Not Configured
    Allow unicast responses Not Configured
    Log dropped packets Yes
    Log successful connections Yes
    Log file path %systemroot%\system32\logfiles\firewall\pfirewall.log
    Log file maximum size (KB) 4096

    I am "Testing" the log be attempting to debugging a SQL CLR Procedure that works when the firewall is disabled but is failing when it is enabled, so I am pretty sure there should be something being written to the file.

    Any help or suggestions anyone can provide would be welcome.


    Kind regards Ian Galletly

    Tuesday, August 7, 2012 11:28 AM

Answers

  • Hi,
     
    Thanks for your post.
     
    Generally, C:\Windows\System32\LogFiles\Firewall\firewall.log has the following permission settings:
     
    NT SERVICE\MpsSvc:(F)
    NT AUTHORITY\SYSTEM:(F)
    BUILTIN\Administrators:(F)
    BUILTIN\Network Configuration Operators:(F)
     
    Please make sure MPSSvc (Windows Firewall service) has Full Control on this file. In addition, you may also change log file location to a custom folder, verify the MPSSvc has the right permission on the custom folder.
     
    For more detailed information, you may refer to the following KB article.
     
    When you configure a custom location for the Windows Firewall log file in Windows Vista, information may not be written to the log file  (applies to Windows Server 2008 R2)
    http://support.microsoft.com/kb/929455
     
     
    Best Regards,
    Aiden

    Aiden Cao

    TechNet Community Support

    Wednesday, August 8, 2012 2:36 AM
    Moderator
  • What is the impact of resetting the Firewall?  Will it loose all the settings for software that has been installed on the server?

    If at all any firewall policies configured on the server, resetting firewall would wipe those settings and you will have a default firewall policy. Installed software's won't be affected or removed however, if an application installed on that particular server depends on Windows Firewall, they might get impacted.


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 12:12 PM
    Moderator
  • Hi,

    You can run the following command to query the Firewall services. Run cmd with administrator privilege.

    Sc query mpssvc

    In addition, try to below steps to troubleshoot this issue.

    Verify Log On permissions

    Verify registry permissions

    Verify privilege permissions

    Verify Service Dependencies

    Reset the default security permissions

    Verify that the TxR folder exists : %systemroot%\system32\config\TxR

    Verify the following registry keys by comparing them to a default Windows installation:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShareAccess

    For more detailed information, please refer to the following article.

    The Windows Firewall Service Fails to start – Introduction

    http://blogs.technet.com/b/networking/archive/2011/06/08/the-windows-firewall-service-fails-to-start-introduction.aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Thursday, August 9, 2012 3:21 AM
    Moderator

All replies

  • Hi,
     
    Thanks for your post.
     
    Generally, C:\Windows\System32\LogFiles\Firewall\firewall.log has the following permission settings:
     
    NT SERVICE\MpsSvc:(F)
    NT AUTHORITY\SYSTEM:(F)
    BUILTIN\Administrators:(F)
    BUILTIN\Network Configuration Operators:(F)
     
    Please make sure MPSSvc (Windows Firewall service) has Full Control on this file. In addition, you may also change log file location to a custom folder, verify the MPSSvc has the right permission on the custom folder.
     
    For more detailed information, you may refer to the following KB article.
     
    When you configure a custom location for the Windows Firewall log file in Windows Vista, information may not be written to the log file  (applies to Windows Server 2008 R2)
    http://support.microsoft.com/kb/929455
     
     
    Best Regards,
    Aiden

    Aiden Cao

    TechNet Community Support

    Wednesday, August 8, 2012 2:36 AM
    Moderator
  • HI Aiden

    Thank you for your reply.

    Unfortunately Windows Server 2008 R2 is not recognising NT SERVICE\mpssvc or mpssvc as a valid object name against which to set permissions as per the instruction in the suggested knowledge base article.

    Can you suggest what I am doing wrong?


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 7:39 AM
  • Ian,

    NT Service\mpssvc is a local service, while adding that object, make sure to select the Machine/Server name instead of Entire Directory from Locations tab. Please see the screenshot below.

    

    HTH


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 7:54 AM
    Moderator
  • Hi Santosh

    Thanks for you help.

    Unfortunately I tried exactly what you suggested resulting in the "Name Not Found" dialog box being displayed as follows:-

    CINGSRV is the Windows Server 2008 R2 that the Firewall is running on.


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 8:27 AM
  • Try NT Service\mpssvc not just mpssvc. That should resolve the name to MpsSvc.

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 8:31 AM
    Moderator
  • I tried both unfortunately with the same result:(.


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 8:33 AM


  • In the above screenshot, I see only Built-in security principals is selected in Object Types !

    You should have Users, Groups, or Built-in security principals in Object Types and then type NT Service\Mpssvc inObjectname field to resolve the user.


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 8:45 AM
    Moderator
  • Hi Santosh.

    I got excited for a moment there thinking you had spotted what I was doing wrong!

    Unfortunately as you can see from the following image it didn't work:-

    I tried the above with CINGSRV and then as you can see "Entire Directory" and still I couldn't get mpssvc to be recognised.  I also tried it with the NT Service\ in front.

    Any last thoughts before I jump off the nearest high structure?


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 8:56 AM
  • Sorry, I am clueless on this now !

    One last thought, try running sfc /scannow from elevated cmd, reboot the server if feasible and then try to add mpssvc object.


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 9:21 AM
    Moderator
  • Hi Santosh

    As you can see no problems were found.

    Searching the web for problems with setting the permissions on MpsSvc seems to be associated with people having trouble starting the Firewall; I came across one where you had contributed to trying to solve the problem:).  I'm having trouble finding anyone who has found a clear solution.

    Can you suggest another forum where I may find someone who has a solution?

    once again thanks for your help in trying to work out why this isn't working.


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 9:37 AM
  • Hi Ian,

    Can you suggest another forum where I may find someone who has a solution?

    Sorry, my search didn't give me any positive results in this regard. By the way, in my perception Technet forum is the best place ;-)

    Eureka ! Few things came in my mind, lets try them and see if they help.

    Look for registry keys HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc and HKLM\SYSTEM\CurrentControlSet\Services\mpsdrv on server in question and make sure following keys exists and registry values are correct ( pls refer screenshots below).If they do not exist, try creating them manually.

    Try resetting the firewall by running below command from elevated cmd (Run as Admin)

    netsh advfirewall reset

    This command allows you to reset the firewall policy back to the default policy. Be careful here because as soon as you type the command and hit enter, it will reset the policy without asking if you are sure or not.

    If nothing works, as a last option try in - place upgrade of the Operating System. In-Place upgrade will fix any unknown issues on affected OS.

    How to Perform an In-Place Upgrade on Windows Vista, Windows 7, Windows Server 2008 & Windows Server 2008 R2

    http://support.microsoft.com/kb/2255099

    HTH


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 10:09 AM
    Moderator
  • Hi Santosh

    Both keys exist but the DisplayName for the MpsSvc is similar to the Description entry except it ends with -23090 in a similar manager to the mpsdrv DisplayName and Description entries.

    Is it safe to/worth changing it to Windows Firewall?


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 11:30 AM
  • Yes, you may change the registry key value however, before doing any change please backup the registry keys, that will help in case something goes wrong.

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 11:34 AM
    Moderator
  • Hi Santosh

    I backup up the entry, made the change and rebooted the server.  I then checked that the firewall was still working which it was:).  Unfortunately it hasn't made any difference to the problem of the Firewall not writing to the log file:(.

    What is the impact of resetting the Firewall?  Will it loose all the settings for software that has been installed on the server?


    Kind regards Ian Galletly

    Wednesday, August 8, 2012 11:58 AM
  • What is the impact of resetting the Firewall?  Will it loose all the settings for software that has been installed on the server?

    If at all any firewall policies configured on the server, resetting firewall would wipe those settings and you will have a default firewall policy. Installed software's won't be affected or removed however, if an application installed on that particular server depends on Windows Firewall, they might get impacted.


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Wednesday, August 8, 2012 12:12 PM
    Moderator
  • Hi,

    You can run the following command to query the Firewall services. Run cmd with administrator privilege.

    Sc query mpssvc

    In addition, try to below steps to troubleshoot this issue.

    Verify Log On permissions

    Verify registry permissions

    Verify privilege permissions

    Verify Service Dependencies

    Reset the default security permissions

    Verify that the TxR folder exists : %systemroot%\system32\config\TxR

    Verify the following registry keys by comparing them to a default Windows installation:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShareAccess

    For more detailed information, please refer to the following article.

    The Windows Firewall Service Fails to start – Introduction

    http://blogs.technet.com/b/networking/archive/2011/06/08/the-windows-firewall-service-fails-to-start-introduction.aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Thursday, August 9, 2012 3:21 AM
    Moderator
  • Hi Aiden

    Thanks for you rely.

    I've followed through the steps checking the things outlined in the above Networking Blog and found nothing. Can I just remind you that I don't have a problem with the firewall starting which is the core of that blog but only with the logging. I have worked through the above, checking each part as well as I can, but much of it is obviously redundant to my problem. Unfortunately I have been unable to find the proposed future blog entries referred to in the blog.

    Do you have any suggestions as to why I have been unable to set permissions on MpsSvc? The fact that the permissions interface couldn't find the service seems dll seems very odd.


    Kind regards Ian Galletly

    Thursday, August 9, 2012 9:45 AM
  • I thought I had the same issue. turns out I did not pay attention to the basic changes from previous OS's.

     Windows Firewall with advanced security window

     Windows Firewall with advanced security on local computer seleted

    Click ->Windows firewall properties

    select Customize logging --- NOTE that the default for both dropped and sucsessful is OFF, Change as desired

    this fixed my issue

    DH

    Wednesday, November 7, 2012 3:44 PM