Firewall still rejecting packets

  • Thread starter Thread starter George Christian
  • Start date Start date
G

George Christian

I have a number of client machines that appear to have the firewall
running even though it has been disabled via Group Policy settings
(HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall is set to 0).

If detailed auditing is turned on the messages like this appear:

"The Windows Firewall has detected an application listening for incoming
traffic. Name: - Path: C:\WINDOWS\system32\svchost.exe Process
identifier: 1072 User account: SYSTEM User domain: NT AUTHORITY Service:
Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 1364
Allowed: No User notified: No"

A netsh firewall show state, results in the following:

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable


Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
137 UDP IPv4 (null)
139 TCP IPv4 (null)
138 UDP IPv4 (null)
3389 TCP IPv4 (null)
445 TCP IPv4 (null)

Is the firewall really stopped, and if so what is causing those
messages, and it is not stopped how can I disable it?


George Christian
Cyence International
 
"Operational mode = Disable"

Yes, the firewall is disabled, however the firewall service is still
running. This allows the system the ability to quickly respond to an
enabling of the firewall, as well as potentially firewall the system should
the profile change (domain vs standard). Additionally, in this state an
admin can use this auditing to monitor the network usage of the system to
help design a firewall policy to deploy in the future.
 
Back
Top