none
Windows Firewall - Not Using Recommended Settings

    Question

  • Hi,

     

    We have been having an intermittent problem on our domain with the Windows Firewall status being "Windows Firewall is not using the recommended settings" and blockign incoming RDP / AV Deployment etc...

    The solution we have is chancing the permissions on the following registry key to add "%COMPUTERNAME% NT SERVICE\MpsSvc" to Full Permissions

    "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch"

    As soon as the permission for MpsSvc has been set clicking "Use recommended settings" works, and the firewall no longer blocks everything.

    Is there a solution for this? As it is becomign quite tedious to rectifty this problem.

    Regards,

    Simon

    Friday, May 14, 2010 9:10 AM

Answers

  • Hi Simon,

     

    I’m so sorry for the late reply. Since the issue is relevant to domain environment, I will get some helps from Windows Server team to troubleshoot this kind of issue.

     

    Based on my research, the reason why Windows Firewall blocks the incoming RDP is that NT Service\MpsSvc account doesn’t have the necessary permissions for the related registry keys. To configure permissions, there are several methods you may have a test:

     

    1.       In domain environment, you could configure the Registry policy and delegate appropriate permission. To do it, go to Computer Configuration/Windows Settings/Security Settings/Registry, click Add Key, in Select Registry Key, click the key that you want to change, and then click OK.

    2.       On Local machine, you need to add the permissions for the account on related registry keys. Please visit the following KB for reference:

    Some services do not start in Windows Vista

     

    Meanwhile, you could use SubInACL tool to obtain the security information about the registry keys or services.

     

    1.     Download Windows Resource Kits and install it.

    2.     Open a Command Prompt and navigate to Windows Resource Kits installation path.

    3.     Type the following command to change the ownership of the registry key and all subkeys under it:

     

    Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch /setowner=[user]

     

    4.     Type the following command to grant or change permissions:

     

    Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch /grant=[user]:[Access]

     

    Best Regards

    Dale Qiao
    TechNet Subscriber Support
    in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     

     

    • Marked as answer by Simon Roberts Thursday, July 01, 2010 1:20 PM
    Wednesday, June 23, 2010 3:04 AM
    Moderator
  • Im not sure i can apply a local computer account via Group Policy? as it is effectively "%COMPUTERNAME%\NT Service\MpsSvc"

    I will give this a go in the morning when i return to work.

    Many thanks,

    Simon Roberts

    • Marked as answer by Simon Roberts Wednesday, July 13, 2011 3:20 PM
    Thursday, June 24, 2010 5:30 PM

All replies

  • Hi,

     

    Thanks for posting in Microsoft TechNet forum.

     

    Do you happen to install any third-party firewall? Make sure that Windows Firewall and Windows Security Center are both configured correctly. Please visit the following KB for your reference in advance:

     

    Description of the relationship between Windows Firewall and Windows Security Center in Windows Vista

     

    BTW, you can use the following command to get the exact status of Windows Firewall:

     

    netsh firewall show state

     

    Best Regards

    Dale Qiao
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     

    Monday, May 17, 2010 1:37 AM
    Moderator
  • Dale,

    We do not have any third party firewalls installed on the network, we configure the Windows Firewall via Group Policy.

    If i can get another machine with this problem into my office by the end of the weke (identified one today) i will be sure to post what the state message says.

    Any suggestions apart from third party firewall?

    Simon

    Tuesday, May 18, 2010 2:45 PM
  • "The RPC Server is Unavailable" is what returns from netsh firewall show state

    I am going to re-add MpsSvc to the Epoch key and see if i can get a state then.

    Simon

    Thursday, May 20, 2010 8:50 AM
  • Ok i added the "NT SERVICE\MpsSvc" permissions back to the Epoch key and still had "The RPC Server is Unavailable".

    Once i clicked "Use recommended settings" on the firewall controll panel it gave me the working status.

    Simon

    Thursday, May 20, 2010 8:59 AM
  • Dale,

    I unmarked my post as the question was how can I automate this process \ prevent it from re-occuring as it has affected 15+ or our machines over the past 3 months.

    This issue re-occurs and it is impractical to manually at the MpsSvc account to the registry key entry each time.

    This is a local machine account so i dont think i can use GP Preferences to modifty the permissions on the key.

    Regards,

    Simon

    Friday, May 21, 2010 10:32 AM
  • Still awaiting a response on this...

    Simon

    Wednesday, June 02, 2010 3:59 PM
  • Guessing Technet Subscriber Support only applies to first response?

    Could really do with solving this issue,

    Simon

    Tuesday, June 08, 2010 8:06 AM
  • Am i going to have to open another request just to get a response?

    Simon

    Friday, June 18, 2010 3:23 PM
  • Did you get a response to this, Simon, as I have the same problem with a server?
    ICT Infrastructure Engineer/Chief Cook and Bottle Washer
    Monday, June 21, 2010 10:58 PM
  • Nope, nothing at all. Looks like i might have to open another request. If i do i will post in here the link to the new thread.

    Simon

    Tuesday, June 22, 2010 1:29 PM
  • Hi Simon,

     

    I’m so sorry for the late reply. Since the issue is relevant to domain environment, I will get some helps from Windows Server team to troubleshoot this kind of issue.

     

    Based on my research, the reason why Windows Firewall blocks the incoming RDP is that NT Service\MpsSvc account doesn’t have the necessary permissions for the related registry keys. To configure permissions, there are several methods you may have a test:

     

    1.       In domain environment, you could configure the Registry policy and delegate appropriate permission. To do it, go to Computer Configuration/Windows Settings/Security Settings/Registry, click Add Key, in Select Registry Key, click the key that you want to change, and then click OK.

    2.       On Local machine, you need to add the permissions for the account on related registry keys. Please visit the following KB for reference:

    Some services do not start in Windows Vista

     

    Meanwhile, you could use SubInACL tool to obtain the security information about the registry keys or services.

     

    1.     Download Windows Resource Kits and install it.

    2.     Open a Command Prompt and navigate to Windows Resource Kits installation path.

    3.     Type the following command to change the ownership of the registry key and all subkeys under it:

     

    Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch /setowner=[user]

     

    4.     Type the following command to grant or change permissions:

     

    Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch /grant=[user]:[Access]

     

    Best Regards

    Dale Qiao
    TechNet Subscriber Support
    in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     

     

    • Marked as answer by Simon Roberts Thursday, July 01, 2010 1:20 PM
    Wednesday, June 23, 2010 3:04 AM
    Moderator
  • Im not sure i can apply a local computer account via Group Policy? as it is effectively "%COMPUTERNAME%\NT Service\MpsSvc"

    I will give this a go in the morning when i return to work.

    Many thanks,

    Simon Roberts

    • Marked as answer by Simon Roberts Wednesday, July 13, 2011 3:20 PM
    Thursday, June 24, 2010 5:30 PM
  •  

     

    Based on my research, the reason why Windows Firewall blocks the incoming RDP is that NT Service\MpsSvc account doesn’t have the necessary permissions for the related registry keys. To configure permissions, there are several methods you may have a test:

     

    1.       In domain environment, you could configure the Registry policy and delegate appropriate permission. To do it, go to Computer Configuration/Windows Settings/Security Settings/Registry, click Add Key, in Select Registry Key, click the key that you want to change, and then click OK.

    2.       On Local machine, you need to add the permissions for the account on related registry keys. Please visit the following KB for reference:

    Some services do not start in Windows Vista


    Dale,

    This solution allowed me to as the MPSSVC account to the key in the registry, hopefully the firewall will automatically update its settings without any issues and this problem will not happen again.

    Many thanks,

    Simon

    • Marked as answer by Simon Roberts Wednesday, July 13, 2011 3:19 PM
    • Unmarked as answer by Simon Roberts Wednesday, July 13, 2011 3:20 PM
    Thursday, July 01, 2010 1:21 PM
  • I have Windows7 OS installed in my system. Since a third party firewall 'Zone Alarm' was installed in my system, i have been getting notification as 'windows firewall is not using the recommended settings' when the system is started each time. If i click on the icon then it turns green. But i need to do it each time, the system get started. How to solve this issue?
    Tuesday, March 13, 2012 2:58 PM