1. Joined : Nov 2015
    Posts : 6
    Windows 10 Pro
       01 Nov 2016 #1

    firewall alerts even with advanced rules applied


    I use Windows Firewall with advanced rules applied (such as remote desktop & ftp server ports, etc.). I am getting daily notifications that my firewall "is in an unsafe configuration and is being managed by your system administrator", but when I open WF with Advanced Security It says it is on for all 3 profiles (domain, public, private).

    I suspect that the following is my problem, but don't know how to change it: Advanced settings for all 3 profiles say "Inbound connections that do not match a rule are allowed". Same for Outbound.

    How can I fix this?
      My System SpecsSystem Spec

  2.    01 Nov 2016 #2

    The default settings are:
    Inbound connections that do not match a rule are blocked
    Outbound connections that do not match a rule are allowed

    You have it set to the following:
    Inbound connections that do not match a rule are allowed

    Therefore:
    Go to Control Panel > Windows Firewall > Advanced Settings > Windows Firewall Properties, and change Inbound Connections from 'Allow' to 'Block (Default)' for all three profiles (Domain Profile, Private Profile, PublicProfile).

    Click image for larger version. 

Name:	Untitled-1.png 
Views:	4 
Size:	84.3 KB 
ID:	108516


    Alternatively, paste the following into Command Prompt and press enter:
    Code:
    netsh advfirewall set allprofiles state on 
    
    netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound
      My System SpecsSystem Spec


  3. Joined : Nov 2015
    Posts : 6
    Windows 10 Pro
       01 Nov 2016 #3

    ARC1020 said: View Post
    The default settings are:
    Inbound connections that do not match a rule are blocked
    Outbound connections that do not match a rule are allowed

    You have it set to the following:
    Inbound connections that do not match a rule are allowed

    Therefore:
    Go to Control Panel > Windows Firewall > Advanced Settings > Windows Firewall Properties, and change Inbound Connections from 'Allow' to 'Block (Default)' for all three profiles (Domain Profile, Private Profile, PublicProfile).

    Click image for larger version. 

Name:	Untitled-1.png 
Views:	4 
Size:	84.3 KB 
ID:	108516


    Alternatively, paste the following into Command Prompt and press enter:
    Code:
    netsh advfirewall set allprofiles state on 
    
    netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
    
    netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound
    I had to make the changes using group security. RDC, HTTPD and MySQL worked, but FTP did not. FTP had ports 20-22 allowed and my users are using "FTP over TLS (if available)" and they get logged in, but cannot get a directory (filezilla code 425). Any ideas what I missed?
      My System SpecsSystem Spec

  4.    02 Nov 2016 #4

    I don't know, it's been a really long time since I've used FTP and even then didn't use it much, so I can't help you. From memory there are two types of FTP, Passive and Active. One of them (Passive I think) doesn't just use Ports 20 and 21, but assigns a different Port number for the data transfer. Maybe that is what's being blocked? Alternatively, maybe the router or ISP is blocking the connection?

    However, if you think the problem is due to Windows Firewall (and Windows Firewall isn't asking you whether to allow an incoming connection or not), then you need to see exactly what is being blocked so that you can then add/modify your rules accordingly. Windows doesn't make that particularly user-friendly, but this is how you enable logging:

    Go to Group Policy Editor and enable logging of blocked connections:

    Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Tick 'Failure'

    Click image for larger version. 

Name:	Untitled-3.png 
Views:	3 
Size:	87.9 KB 
ID:	108609


    Then go to Event Viewer and set it up to view those blocked connections:

    Event Viewer > Custom Views > Right-click > Create Custom View > XML tab > Tick 'Edit Query Manually'

    Click image for larger version. 

Name:	Untitled-1.png 
Views:	3 
Size:	62.3 KB 
ID:	108606

    Paste the following:

    Windows Firewall Blocked Inbound (All):
    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14592"]]
    </Select>
      </Query>
    </QueryList>

    Then repeat the above steps for Outbound connections too.

    Windows Firewall Blocked Outbound (All):
    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14593"]]
    </Select>
      </Query>
    </QueryList>

    This will show you everything that's being blocked by Windows Firewall, so you will need to sort through the entries to find the ones that could be related to your FTP problem and add/modify rules accordingly. 'Protocol' numbers shown in the logs are documented at THIS LINK (TCP = 6, UDP = 17)

    Click image for larger version. 

Name:	Untitled-2.png 
Views:	3 
Size:	83.1 KB 
ID:	108607
      My System SpecsSystem Spec


  5. Joined : Nov 2015
    Posts : 6
    Windows 10 Pro
       02 Nov 2016 #5

    I trapped a blocked request (from my own PC) and here is the relevant event data:
    SourceAddress 192.168.10.100
    SourcePort 4414
    DestAddress 239.255.255.250
    DestPort 1900

    Protocol 17


    I tried to allow port 1900 in WF and my router, but no go. Then I found the info below which completed the solution. Thanks VERY much for your tips on setting up the firewall rules and tracking the events.
    If you are having problems with setting up FileZilla Server to run behind Windows Firewall (specifically, it fails on "List" and the client receives a "Failed to receive directory listing" error), you must add the FileZilla Server application to Windows Firewall's Exceptions list. To do this, follow these steps:

    1. Open Windows Firewall under Control Panel.
    2. If using Vista, click "Change Settings"
    3. Select the "Exceptions" tab.
    4. Click "Add program..."
    5. Do NOT select "FileZilla Server Interface" from the list, instead click on "Browse..."
    6. Locate the directory you installed FileZilla Server to (normally "C:\Program Files\FileZilla Server")
    7. Double click or select "FileZilla server.exe" and press open (Once again, NOT "FileZilla Server Interface.exe")
    8. Select "FileZilla server.exe" from the list and click "Ok"
    9. Verify that "FileZilla server.exe" is added to the exceptions list and that it has a check mark in the box next to it
    10. Press "Ok" to close the window
    11. Open a command prompt with administrative rights and execute the following command: netsh advfirewall set global StatefulFTP disable

    Passive mode should now work. If you are still having problems connecting (from another computer or outside the network), check your router settings or try to add the port number in the Windows Firewall settings located in the Exceptions tab.
    See the Microsoft kb article 931130 about running FileZilla with the "Routing and Remote Access" or the "Application Layer Gateway" service enabled. http://support.microsoft.com/kb/931130
    Last edited by DocDJ; 02 Nov 2016 at 12:56. Reason: add more info
      My System SpecsSystem Spec


 


Similar Threads
Thread Forum
Solved Disable Windows firewall when running 3rd party firewall?
Quick question - I use Comodo firewall free edition as I like the functionality and interface. Should I disable Windows firewall since I have Comodo running? If so, how do I do that?
AntiVirus, Firewalls and System Security
Firewall rules resetting
For some reason I'm not able to keep my firewall settings saved. Specifically, apps that I allow through the firewall whether through prompt or control panel reset back to "not allowed.' I think this is happening after each update. It's extremely...
AntiVirus, Firewalls and System Security
Problem with Calendar alerts
Hi I have WLM and use the Calendar as a diary, I have had a daily alert, set up to alert me daily. I modify this as a need arises for a new alert. It worked well for many months but it has stopped sending me alerts, all other alerts work...
Browsers and Email
Any way to stop update alerts?
I'm using windows 10 Pro and have done the group policy edit but i still get annoying alerts in the lower right hand corner about updates.
General Support
New Mail Alerts in Outlook 2016
I am running Outlook 2016 under Win 10. Under all previous versions of Outlook I have be enable to increase the time a new email alert stays on the screen by editing the registry like this. ...
Browsers and Email
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 23:02.
Find Us
Twitter Facebook Google+



Windows 10 Forums