To improve Windows Server I suggest you ...

Is this a Permission-Bug in Windows Firewall Logging?

#Windows Firewall Log BUG

Situation:
New Installed Server With 2016 Standard. Patched and up2date with June-2019 CU.
Created a new Domain with itself beeing the first domaincontroler. Created a GPO to activate Windows Firewall and enable Logging of DROP and ALLOW to pfirewall-domain.log in the default-path.

What happens?
The Log can´t be written, no access denied. Sysinternals Procmon shows no "Access Denied". Shows a few creates but does not write.
[...]
Detailed Explanation:
https://social.technet.microsoft.com/Forums/en-US/b8ba16b4-8b7e-4c3a-a610-a67fed2e87ae/is-this-a-permissionbug-in-windows-firewall-logging?forum=win10itprosecurity

1 vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)

We’ll send you updates on this idea

KloinerFeigling83 shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • KloinerFeigling83 commented  ·   ·  Flag as inappropriate

    The File was visible in Explorer, but empty except the header. Rebooting and reapplying the policy didn´t work.

    Now i did something i usually wouldn´t do. I added "Authenticated Users" wit Full Permissions.

    And then it instantly started logging:

    21:21:16,7661387 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 2.831, Length: 114, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:16,7663507 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 2.945, Length: 722, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:18,2505349 System 4 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal NT AUTHORITY\SYSTEM
    21:21:18,2515695 System 4 SetEndOfFileInformationFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS EndOfFile: 3.667 NT AUTHORITY\SYSTEM
    21:21:26,5941882 System 4 FASTIO_ACQUIRE_FOR_CC_FLUSH C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\SYSTEM
    21:21:26,5942149 System 4 WriteFile C:\Windows\System32\LogFiles\Firewall SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal NT AUTHORITY\SYSTEM
    21:21:26,5951630 System 4 FASTIO_RELEASE_FOR_CC_FLUSH C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\SYSTEM
    21:21:29,8911002 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 3.667, Length: 69, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8913203 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 3.736, Length: 913, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8916986 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 4.649, Length: 81, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8919285 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 4.730, Length: 612, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8921255 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 5.342, Length: 84, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8923141 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 5.426, Length: 963, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8927561 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.389, Length: 72, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8928512 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.461, Length: 222, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8930073 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.683, Length: 84, Priority: Normal NT AUTHORITY\LOCAL SERVICE

    And yeah I reproduced it 3 times.
    I wonder if that´s a Bug...

  • KloinerFeigling83 commented  ·   ·  Flag as inappropriate

    So i took a look with procmon
    svchost.exe tries to createFile, but throws no error:

    21:19:57,9985237 svchost.exe 1640 QueryOpen C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log FAST IO DISALLOWED NT AUTHORITY\LOCAL SERVICE
    21:19:57,9986597 svchost.exe 1640 CreateFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987095 svchost.exe 1640 QueryBasicInformationFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS CreationTime: 19.06.2019 20:50:30, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:05:59, FileAttributes: A NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987315 svchost.exe 1640 CloseFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987626 svchost.exe 1640 IRP_MJ_CLOSE C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS NT AUTHORITY\LOCAL SERVICE
    21:19:57,9989181 svchost.exe 1640 QueryOpen C:\Windows\System32\LogFiles\Firewall FAST IO DISALLOWED NT AUTHORITY\LOCAL SERVICE
    21:19:57,9990346 svchost.exe 1640 CreateFile C:\Windows\System32\LogFiles\Firewall SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\LOCAL SERVICE
    21:19:57,9990746 svchost.exe 1640 QueryBasicInformationFile C:\Windows\System32\LogFiles\Firewall SUCCESS CreationTime: 16.07.2016 15:23:22, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:18:38, FileAttributes: D NT AUTHORITY\LOCAL SERVICE
    21:19:57,9992285 svchost.exe 1640 CloseFile C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\LOCAL SERVICE
    21:19:57,9992520 svchost.exe 1640 IRP_MJ_CLOSE C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\LOCAL SERVICE

  • KloinerFeigling83 commented  ·   ·  Flag as inappropriate

    Created the GPO and applied it, even rebooted.No Log-File was created, so i opened the Firewall and took a look. And right when i opened the Logfile showed up, but only the Header was written. Nothing more.

    The ACLs on pfirewall-domain.log file.

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Network Configuration Operators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT SERVICE\MpsSvc
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

  • KloinerFeigling83 commented  ·   ·  Flag as inappropriate

    After Configuring Domaincontroller:
    c:\Windows\System32\LogFiles\Firewall

    FileSystemRights : ReadAndExecute, Synchronize
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\Authenticated Users
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : -1610612736
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\Authenticated Users
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : ReadAndExecute, Synchronize
    AccessControlType : Allow
    IdentityReference : BUILTIN\Server Operators
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : -1610612736
    AccessControlType : Allow
    IdentityReference : BUILTIN\Server Operators
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : 268435456
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : 268435456
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : 268435456
    AccessControlType : Allow
    IdentityReference : CREATOR OWNER
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

  • KloinerFeigling83 commented  ·   ·  Flag as inappropriate

    How do the Permissions on the Filesystem look like?

    Get-ACL After Plain OS Installation & also after CU instalaltion:

    c:\Windows\System32\LogFiles\Firewall

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Network Configuration Operators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT SERVICE\MpsSvc
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

Feedback and Knowledge Base