Windows 7 Firewall Questions - Logging and Blocking Outbound connections
I have a couple of questions regarding the Windows 7 Firewall.
First, I need to block ALL outbound connections, except for those that I explicitly allow. I've gotten this to work, but not exactly how I want. Blocking works and I can get 2 of the 3 applications
that I need to work. However, the 3rd (McAfee VirusScan Enterprise) is unable to update. I've unblocked one app (mcupdate.exe) but there's apparently something else that needs to be unblocked. How do I determine which McAfee applications
should be given permission to make an outbound connection?
Which leads me to my second question: Does the Windows 7 Firewall log blocked outbound traffic? I've found some information in the Event Log but it's only logged things like rule changes. There's also a dropped packet log, but that doesn't tell
me what application was blocked, only the destination address.
So, my question really becomes, while blocking outbound connections, does Win7 log those events? And, how do I determine which applications need to be unblocked when I want something to communicate?
June 11th, 2010 12:12am
Hi,
Please try the following:
1.
Enable IPsec and Windows Firewall Audit Events
2.
Check the related events referring to the following document:
Description of security events in Windows 7 and in
Windows Server 2008 R2
From the document, we can see the ID
5031, 5155 and 5157 means a connection is blocked.
Hope this helps.
Thanks.
Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2010 12:34pm
Here is a bit more information on how to enable auditing:
From:
http://msdn.microsoft.com/en-us/library/bb309058.aspx
Run the following command from an admininistrative command prompt on the system you would like to enable the logging on:
auditpol /set /subcategory:"{0CCE9225-69AE-11D9-BED3-505054503030}" /failure:enable
These are logged into the System Security Log in Event Viewer.
Sample:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 1392
Application Name: \device\harddiskvolume2\sample path\application123.exe
Network Information:
Direction: Outbound
Source Address: 192.168.228.100
Source Port: 65443
DestinationAddress: x.x.x.x
DestinationPort: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 71069
Layer Name: Connect
Layer Run-Time ID: 48
September 20th, 2011 8:38pm