Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

Sponsored Links

I've worked with the Windows Firewall since it was introduced in Windows XP
SP2 and Windows 2008 since it went to beta.

But, now I'm confused (the system is working fine - its just that netsh
appears to give inconsistent results - see question at the end of this
post).

The server is running Windows Server 2008 64 bit with Hyper-V. In the
"parent" VM, I have AD Domain Services and WSUS installed with the firewall
configured via GPO (this is a small domain I have at home for testing etc.).

If I run the Start, Administrative Tools, Windows Firewall with Advanced
Security it tells me:
For your security, some settings are controlled by Group Policy
Domain Profile is Active
Windows Firewall is on.
Inbound connections that do not match a rule are blocked
Outbound connections that do not match a a rule are allowed

If I run Control Panel, Windows Firewall, it tells me:
For your security, some settings are controlled by Group Policy
Windows Firewall is on.
Inbound connections that do not have an exception are blocked.
Display a notification when a program is blocked: Yes
Network Location: Domain network

If I click Change Settings, the Windows Firewall Settings dialog tells me:
For your security, some settings are controlled by Group Policy
the On radio button is selected, but grayed out
the Exceptions tab shows several exceptions, some set by Group Policy
and some set locally
[I've allowed local exceptions in the Group Policy]

If I run this command (I get the same result in a "normal" and "elevated"
command prompt window)

netsh firewall show state

I get this:

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable

Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
500 UDP Any (null)
4500 UDP Any (null)
88 UDP Any (null)
88 TCP Any (null)
80 TCP Any (null)
53212 TCP Any (null)
53211 TCP Any (null)
53 UDP Any (null)
53 TCP Any (null)
389 UDP Any (null)
389 TCP Any (null)
3268 TCP Any (null)
123 UDP Any (null)

All of the above conforms to my understanding of what I have configured.

If I run this command (I get the same result in a "normal" and "elevated"
command prompt window)

netsh advfirewall show currentprofile

I get this:

Domain Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable

Logging:
LogAllowedConnections Enable
LogDroppedConnections Enable
FileName
C:\Windows\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096

Ok.

So what does "State OFF" mean when all other indications are that the
firewall is ON?

That definitely doesn't look right. I just ran the same command on this
machine (Vista in a workgroup) and the output shows

Private Profile Settings:

State ON

If I disable the firewall from the GUI it changes to OFF.

It could have something to do with Hyper-V. Do you have a virtual
network linked to the NIC? This makes pretty major changes to the way the
NIC works. The host actually connects to the network through the virtual
switch.

Microsoft actually recommends that you do not run any role except
Hyper-V in the parent partition.

Hello,

Yes, we do not recommend installing other services or applications on the
parent partition except the Hyper-V role.

I have a Hyper-V server running in my domain environment. I have checked
all the firewall setting and they are working fine. The Domain Profile
Settings State shows ON.

This "state off" usually means that the relevant profile has been turned
off. Would you please try manually turning on the profile to see how it
goes? Try the following command to see if it can help:

Netsh advfirewall set currentprofile state on

If this cannot help. I would suggest that you check the Event Viewer,
located at the sections under "Applications and Services
Logs\Microsoft\Windows" starting with words "Hyper-V-", to see if any
errors or warnings exist.

You may also need to check firewall settings to see if any incorrect
configuration exist.

If possible, I would also suggest that you try removing other services and
applications, or try reinstalling the Hyper-V server (without any other
applications or services) to see if the problem remains.

Besides, if you have any questions or problems relating to Hyper-V, I would
like to suggest that you post in our Hyper-V forum. People there have
better knowledge on Hyper-V and they may share some useful information with
you.

http://social.technet.microsoft.com/...yperv/threads/

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Bill, thanks for your reply.

This physical computer has only one network adapter and there are virtual
machines that (when they are running) communicate with each other, other LAN
attached computers and the Internet (via a router), so yes, there is a
virtual network linked to the NIC.

I ran the netsh advfirewall show currentprofile on another Windows Server
2008 Domain Controller (single DC in experimental domain) installation and
it shows:

Domain Profile Settings
--------------------------------------------
State ON

So, looks like you're supposition that Hyper-V is causing the discrepancy is
most likely bang on.

In a "production" installation, I wouldn't recomend using the Hyper-V parent
partition as a Domain Controller either. In my simple home installation,
the server is mostly to be a domain controller and WSUS server - running
Virtual Machines is secondary, but I wanted to get some experience with
Hyper-V, so added that role.

I find many references in forums, articles etc. that say "Microsoft
recommends" not running applications in the Parent vm, but I can't find any
Microsoft document that says this (not that it/they don't exist, just I
can't find them!). Do you know where such recommendations by Microsoft can
be found? I'd like to have it handy for future reference.

Sorry to take so long to reply - been kind of busy and out of touch lately.

1. Why is there no Hyper-V newsgroup? I know I am not alone in finding web
"forums" slow and clumsy to use, including the Microsoft TechNet forums - I
avoid using web forums whenever possible because it is too slow navigating
around, viewing posts etc. Newsgroups are much quicker and easier to use
via a newsgroup reader (e.g. Windows Mail or Outlook Express). Please
suggest to whoever manages the Microsoft newsgroups (e.g.
msnews.microsoft.com) or Hyper-V that a newsgroup for Hyper-V (e.g.
microsoft.public.windows.server.hyper-v) would be useful.

2. Why does netsh say the firewall is OFF when all the firewall related GUIs
(e.g. Windows Firewall with Advanced Security) show that the firewall is ON?
Is there an document somewhere that explains this difference? Also, all
other evidence is that the firewall is indeed blocking unwanted traffic and
is thus ON. For example, if I remove the check mark (in the Windows
Firewall Control Panel aplet) for Remote Service Management, attempting to
view or manage services remotely (e.g. via Computer Management) from another
computer fails (RPC service not available). When I add the check mark back
again, I can again view and manage services remotely.

3. I see no Event Log entries about any problems with the firewall
configuration or Hyper-V (or other services) in any event logs.

4. This is a very small installation (just the one server), so it is not
practical for me to remove the Active Directory or other services (e.g.
several file shares)from this server. I'll consider moving these services
to a child partition, but then, since the only domain controller will be a
virtual machine running on this server, I won't be practical to make the
hyper-v parent partition a domain member, which will be awkward.

5. as suggested, I executed the command netsh advfirewall set currentprofile
state on. Apart from the fact that the netsh advfirewall show
currentprofile command now reports Status: ON, I can not detect any change
in behaviour of the firewall, the server or the services running on it -
everything is still working as it was before, including Active Directory,
WSUS, file sharing etc.

Hello Bruce,

Thank you for the updating.

Regarding the question 1.
====================

I can fully understand your concern.

However, forum is considered as the next generation of communication
platform and, all the current newsgroups will be migrated to forum.

I have heard from the forum product group that they are doing a lot of jobs
to improve the forum. Some similar tools, like OE that can be used in
newsgroup, are also being developed. This may take a little longer, but I
am sure that you will enjoy it.

I am sorry if it brings any inconvenience right now.

Regarding the questions 2, 3 and 5.
=========================

Did you configure the Group Policy for Windows Firewall with Advanced
Security like this?

The Firewall state is set to 'On (recommended)', on the Domain Profile tab,
of the Windows Firewall with Advanced Security.

If you did, the Firewall state of the Windows Firewall with Advanced
Security on the client computers is greyed out. This means that any changes
on the client side will be overridden by the Group Policy (you can still
add new rules), even you can turn the profile on or off. However, that
doesn't really affect the current settings and doesn't really turn the
profile on or off.

So, please check if the Group Policy is really applied to the client
machine (including all the rules set in the Group Policy)

If it is, you can ignore the output of the "netsh advfirewall show
currentprofile", as it doesn't really affect the current settings.
Actually, the Group Policy does.

If not, you may need to check the network settings. Try "gpupdate /force"
on the client machine to see how it goes.

Regarding the question 4.
====================

I would agree with you. That may be much better than putting Active
Directory into a child partition.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.