firewall alerts even with advanced rules applied


  1. Posts : 14
    Windows 10 Pro
       #1

    firewall alerts even with advanced rules applied


    I use Windows Firewall with advanced rules applied (such as remote desktop & ftp server ports, etc.). I am getting daily notifications that my firewall "is in an unsafe configuration and is being managed by your system administrator", but when I open WF with Advanced Security It says it is on for all 3 profiles (domain, public, private).

    I suspect that the following is my problem, but don't know how to change it: Advanced settings for all 3 profiles say "Inbound connections that do not match a rule are allowed". Same for Outbound.

    How can I fix this?
      My Computer


  2. Posts : 487
       #2

    The default settings are:
    Inbound connections that do not match a rule are blocked
    Outbound connections that do not match a rule are allowed

    You have it set to the following:
    Inbound connections that do not match a rule are allowed

    Therefore:
    Go to Control Panel > Windows Firewall > Advanced Settings > Windows Firewall Properties, and change Inbound Connections from 'Allow' to 'Block (Default)' for all three profiles (Domain Profile, Private Profile, PublicProfile).

    firewall alerts even with advanced rules applied-untitled-1.png


    Alternatively, paste the following into Command Prompt and press enter:
    Code:
    netsh advfirewall set allprofiles state on 
    
    netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound
      My Computer


  3. Posts : 14
    Windows 10 Pro
    Thread Starter
       #3

    ARC1020 said:
    The default settings are:
    Inbound connections that do not match a rule are blocked
    Outbound connections that do not match a rule are allowed

    You have it set to the following:
    Inbound connections that do not match a rule are allowed

    Therefore:
    Go to Control Panel > Windows Firewall > Advanced Settings > Windows Firewall Properties, and change Inbound Connections from 'Allow' to 'Block (Default)' for all three profiles (Domain Profile, Private Profile, PublicProfile).

    firewall alerts even with advanced rules applied-untitled-1.png


    Alternatively, paste the following into Command Prompt and press enter:
    Code:
    netsh advfirewall set allprofiles state on 
    
    netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound
    I had to make the changes using group security. RDC, HTTPD and MySQL worked, but FTP did not. FTP had ports 20-22 allowed and my users are using "FTP over TLS (if available)" and they get logged in, but cannot get a directory (filezilla code 425). Any ideas what I missed?
      My Computer


  4. Posts : 487
       #4

    I don't know, it's been a really long time since I've used FTP and even then didn't use it much, so I can't help you. From memory there are two types of FTP, Passive and Active. One of them (Passive I think) doesn't just use Ports 20 and 21, but assigns a different Port number for the data transfer. Maybe that is what's being blocked? Alternatively, maybe the router or ISP is blocking the connection?

    However, if you think the problem is due to Windows Firewall (and Windows Firewall isn't asking you whether to allow an incoming connection or not), then you need to see exactly what is being blocked so that you can then add/modify your rules accordingly. Windows doesn't make that particularly user-friendly, but this is how you enable logging:

    Go to Group Policy Editor and enable logging of blocked connections:

    Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Tick 'Failure'

    firewall alerts even with advanced rules applied-untitled-3.png


    Then go to Event Viewer and set it up to view those blocked connections:

    Event Viewer > Custom Views > Right-click > Create Custom View > XML tab > Tick 'Edit Query Manually'

    firewall alerts even with advanced rules applied-untitled-1.png

    Paste the following:

    Windows Firewall Blocked Inbound (All):
    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14592"]]
    </Select>
      </Query>
    </QueryList>

    Then repeat the above steps for Outbound connections too.

    Windows Firewall Blocked Outbound (All):
    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14593"]]
    </Select>
      </Query>
    </QueryList>

    This will show you everything that's being blocked by Windows Firewall, so you will need to sort through the entries to find the ones that could be related to your FTP problem and add/modify rules accordingly. 'Protocol' numbers shown in the logs are documented at THIS LINK (TCP = 6, UDP = 17)

    firewall alerts even with advanced rules applied-untitled-2.png
      My Computer


  5. Posts : 14
    Windows 10 Pro
    Thread Starter
       #5

    I trapped a blocked request (from my own PC) and here is the relevant event data:
    SourceAddress 192.168.10.100
    SourcePort 4414
    DestAddress 239.255.255.250
    DestPort 1900

    Protocol 17


    I tried to allow port 1900 in WF and my router, but no go. Then I found the info below which completed the solution. Thanks VERY much for your tips on setting up the firewall rules and tracking the events.
    If you are having problems with setting up FileZilla Server to run behind Windows Firewall (specifically, it fails on "List" and the client receives a "Failed to receive directory listing" error), you must add the FileZilla Server application to Windows Firewall's Exceptions list. To do this, follow these steps:

    1. Open Windows Firewall under Control Panel.
    2. If using Vista, click "Change Settings"
    3. Select the "Exceptions" tab.
    4. Click "Add program..."
    5. Do NOT select "FileZilla Server Interface" from the list, instead click on "Browse..."
    6. Locate the directory you installed FileZilla Server to (normally "C:\Program Files\FileZilla Server")
    7. Double click or select "FileZilla server.exe" and press open (Once again, NOT "FileZilla Server Interface.exe")
    8. Select "FileZilla server.exe" from the list and click "Ok"
    9. Verify that "FileZilla server.exe" is added to the exceptions list and that it has a check mark in the box next to it
    10. Press "Ok" to close the window
    11. Open a command prompt with administrative rights and execute the following command: netsh advfirewall set global StatefulFTP disable

    Passive mode should now work. If you are still having problems connecting (from another computer or outside the network), check your router settings or try to add the port number in the Windows Firewall settings located in the Exceptions tab.
    See the Microsoft kb article 931130 about running FileZilla with the "Routing and Remote Access" or the "Application Layer Gateway" service enabled. http://support.microsoft.com/kb/931130
    Last edited by DocDJ; 02 Nov 2016 at 12:56. Reason: add more info
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:03.
Find Us




Windows 10 Forums