I updated my domain's default policy to add exceptions to the Windows Firewall, under
Administrative Templates < Network < Network Connection < Windows Firewall < Domain Profile
I changed Windows Firewall: Define program exceptions and added these 2 entries:
%system32%\lsass.exe:*:enabled:lsass
%system32%\svchost.exe:*:enabled:svchost
However when I run GPupdate /force from my client machine and run
netsh firewall show allowedprogram
I don't see either of these entries I added showing up on my exceptions. It's been probably half an hour since I updated the GP object so I assume it shouldn't be from just not waiting long enough to run gpupdate. Am I missing something? I've tried running rsop.msc but when I expand Administrative Templates in rsop it just stops responding after a while, or does it just take a while and I need to leave it alone?
Edit: After running GPupdate /force I get the event information "Security policy in the Group policy objects has been applied successfully."
After waiting longer with RSOP I can view the Administrative Templates, it shows my settings that allow remote administration exception and remote desktop exception is enabled. However I don't see any entries for them in the firewall when I run the netsh command. Also I am still getting security failures reporting the lsass and svchost are looking for connections so it's not that just working correctly and for some reason not displaying from the netsh command.
I cannot open \\domain\sysvol however I can open \\DomainControllerName\sysvol fine and see 1 node.
Edit:
Event Viewer Security Failure Audit
The Windows Firewall has detected an application listening for incoming traffic.
Name: –
Path: C:\WINDOWS\system32\svchost.exe
C:\>netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Remote Desktop
Enable No Remote Administration
Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable Windows Live Messenger / C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Enable Windows Live Sync / C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
Enable Adobe CSI CS4 / C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
Enable AOL Instant Messenger / C:\Program Files\AIM\aim.exe
Enable Microsoft Office Outlook / C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
Enable Microsoft Office Groove / C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
Enable Microsoft Office OneNote / C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
Enable spiceworks / C:\Program Files\Spiceworks\bin\spiceworks.exe
Enable spiceworks-finder / C:\Program Files\Spiceworks\bin\spiceworks-finder.exe
Enable Yahoo! Messenger / C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
Enable Microsoft Visual Studio 2008 / C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
Enable firefox / C:\Program Files\Mozilla Firefox\firefox.exe
Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
5353 TCP Enable Adobe CSI CS4
3389 TCP Enable Remote Desktop
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Remote Desktop
Allowed programs configuration for Standard profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable Windows Live Messenger / C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Enable Windows Live Sync / C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
3389 TCP Enable Remote Desktop
Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
Any one have any suggestions? This is causing my security log in the event viewer to fill up and on other workstations in my network that I have to manually clear the logs for regular users to be able to log into their system.
Edit 8/4/2009 – On further inspection it's actually not remote desktop/administration that's filling up my security log it's svchost loading dns cache: C:\WINDOWS\system32\svchost.exe -k NetworkService with the DLL c:\windows\system32\dnsrslvr.dll
I tried adding the dll itself to the allowed program list but that didn't seem to help and it doesn't let you add the svchost directly to the exception list.
Everything I find online points to this post: Event ID 861 Source Security which just isn't a solution since it involves svchost.
This post Event ID 861 Identify which services is running as a svchost is exactly the same situation I have, however it mentions the solution is to disable the dnsclient which obviously isn't an option in a domain environment.
According to Microsoft
Windows Firewall: dnscache
Updated: March 2, 2005
No Windows Firewall configuration is
required to use this service.
If that's the case why is it still filling my event viewer. It seems like there has been alot of people affected by this issue filling their security logs whether it's specifically for dnscache or other services, everything I've been finding people just automatically want to say virus/malware etc and no one has offered a solution other than just disable audit tracking or disable the firewall service from running.
Best Answer
This seems to support Evan's theory that you have more general problems with your AD. Can I suggest that you back off from the firewall specific job for a bit (just too many variables there) and try setting some other group policies, then seeing if they take? It won't resolve the specific problem you're having, but it will help in confirming if the theory is correct.
Can you also check that the File Replication Service and DFS Service are both running on all of your DCs? Also that each can resolve name-to-IP and IP-to-name for both themselves and all other DCs, that each has a correctly set FQDN and that each can resolve your domain name to your DCs IP addresses using nslookup.
Finally, you should use replmon to determine that your AD replication is healthy, and resolve any issues that throws up before proceeding with anything else.