Windows 10: firewall alerts even with advanced rules applied

I use Windows Firewall with advanced rules applied (such as remote desktop & ftp server ports, etc.). I am getting daily notifications that my firewall "is in an unsafe configuration and is being managed by your system administrator", but when I open WF with Advanced Security It says it is on for all 3 profiles (domain, public, private).

I suspect that the following is my problem, but don't know how to change it: Advanced settings for all 3 profiles say "Inbound connections that do not match a rule are allowed". Same for Outbound.

How can I fix this?

:)

 

Firewall (MpsSvc) cannot be restarted in resource monitor, access is denied.

Where are you accessing Firewall in Resource Monitor. Never heard of that.

Type Windows Firewall in Start Search, open Windows Firewall, check that it is turned on.

There are various rules in the Advanced Settings that you can browse to see if any seem to apply here.

 

microsoft outlook mail does not have a valid digital signature

It is not a "band aid issue".

• Norton Firewall requires a new rule anytime an IP address/port number, domain name, protocol, or the executing program name changes.
• The reason why we are getting this dialog is because of the newness and number of reported users.
  

In the early days of firewall implementations, we had to set rules for everything. By automatically applying rules, we are relieved of a burdensome task that requires security expertise.

Once the days since the file was released and number of users
using the file has reached the threshold set by Norton, then Norton Firewall will automatically add the rule for all subsequent users.

In the meantime, we need to know what critical factors to investigate, which tools to utilize in that investigation, and to be comfortable adding firewall rules. It would be reassuring to hear from a security expert on these matters. In the meantime, my
original post provides a layman's approach to these concerns.

Thank you for your 'layman's explanation. This Norton firewall alert occurred with the latest upgrade to Windows 10 Anniversary Home edition a week ago. I guess I'll wait for Norton firewall to automatically add the rule; I'm not savy enough to use the steps
in your original post. But it does make me uncomfortable to allow each time the alert pops up. That 'number of users' could take awhile.

 

The default settings are:
Inbound connections that do not match a rule are blocked
Outbound connections that do not match a rule are allowed

You have it set to the following:
Inbound connections that do not match a rule are allowed

Therefore:
Go to Control Panel > Windows Firewall > Advanced Settings > Windows Firewall Properties, and change Inbound Connections from 'Allow' to 'Block (Default)' for all three profiles (Domain Profile, Private Profile, PublicProfile).






Alternatively, paste the following into Command Prompt and press enter:
Code: netsh advfirewall set allprofiles state on netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound[/quote]

 

[/quote] I had to make the changes using group security. RDC, HTTPD and MySQL worked, but FTP did not. FTP had ports 20-22 allowed and my users are using "FTP over TLS (if available)" and they get logged in, but cannot get a directory (filezilla code 425). Any ideas what I missed?

 

I don't know, it's been a really long time since I've used FTP and even then didn't use it much, so I can't help you. From memory there are two types of FTP, Passive and Active. One of them (Passive I think) doesn't just use Ports 20 and 21, but assigns a different Port number for the data transfer. Maybe that is what's being blocked? Alternatively, maybe the router or ISP is blocking the connection?

However, if you think the problem is due to Windows Firewall (and Windows Firewall isn't asking you whether to allow an incoming connection or not), then you need to see exactly what is being blocked so that you can then add/modify your rules accordingly. Windows doesn't make that particularly user-friendly, but this is how you enable logging:

Go to Group Policy Editor and enable logging of blocked connections:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Tick 'Failure'






Then go to Event Viewer and set it up to view those blocked connections:

Event Viewer > Custom Views > Right-click > Create Custom View > XML tab > Tick 'Edit Query Manually'





Paste the following:

Windows Firewall Blocked Inbound (All):
Code: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]] and *[EventData[Data[@Name="Direction"]="%%14592"]] </Select> </Query> </QueryList>[/quote]
Then repeat the above steps for Outbound connections too.

Windows Firewall Blocked Outbound (All):
Code: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]] and *[EventData[Data[@Name="Direction"]="%%14593"]] </Select> </Query> </QueryList>[/quote]
This will show you everything that's being blocked by Windows Firewall, so you will need to sort through the entries to find the ones that could be related to your FTP problem and add/modify rules accordingly. 'Protocol' numbers shown in the logs are documented at THIS LINK (TCP = 6, UDP = 17)

 

I trapped a blocked request (from my own PC) and here is the relevant event data:
SourceAddress 192.168.10.100 SourcePort 4414 DestAddress 239.255.255.250 DestPort 1900
Protocol 17


I tried to allow port 1900 in WF and my router, but no go. Then I found the info below which completed the solution. Thanks VERY much for your tips on setting up the firewall rules and tracking the events.
If you are having problems with setting up FileZilla Server to run behind Windows Firewall (specifically, it fails on "List" and the client receives a "Failed to receive directory listing" error), you must add the FileZilla Server application to Windows Firewall's Exceptions list. To do this, follow these steps:

• Open Windows Firewall under Control Panel.
• If using Vista, click "Change Settings"
• Select the "Exceptions" tab.
• Click "Add program..."
• Do NOT select "FileZilla Server Interface" from the list, instead click on "Browse..."
• Locate the directory you installed FileZilla Server to (normally "C:\Program Files\FileZilla Server")
• Double click or select "FileZilla server.exe" and press open (Once again, NOT "FileZilla Server Interface.exe")
• Select "FileZilla server.exe" from the list and click "Ok"
• Verify that "FileZilla server.exe" is added to the exceptions list and that it has a check mark in the box next to it
• Press "Ok" to close the window
• Open a command prompt with administrative rights and execute the following command: netsh advfirewall set global StatefulFTP disable

Passive mode should now work. If you are still having problems connecting (from another computer or outside the network), check your router settings or try to add the port number in the Windows Firewall settings located in the Exceptions tab.
See the Microsoft kb article 931130 about running FileZilla with the "Routing and Remote Access" or the "Application Layer Gateway" service enabled. http://support.microsoft.com/kb/931130