Re: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

Bill, thanks for your reply.

This physical computer has only one network adapter and there are virtual machines that (when they are running) communicate with each other, other LAN attached computers and the Internet (via a router), so yes, there is a virtual network linked to the NIC.

I ran the netsh advfirewall show currentprofile on another Windows Server 2008 Domain Controller (single DC in experimental domain) installation and it shows:

Domain Profile Settings
--------------------------------------------
State ON

So, looks like you're supposition that Hyper-V is causing the discrepancy is most likely bang on.

In a "production" installation, I wouldn't recomend using the Hyper-V parent partition as a Domain Controller either. In my simple home installation, the server is mostly to be a domain controller and WSUS server - running Virtual Machines is secondary, but I wanted to get some experience with Hyper-V, so added that role.

I find many references in forums, articles etc. that say "Microsoft recommends" not running applications in the Parent vm, but I can't find any Microsoft document that says this (not that it/they don't exist, just I can't find them!). Do you know where such recommendations by Microsoft can be found? I'd like to have it handy for future reference.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Bill Grant" <not.available@online> wrote in message news:eOgHb8JFJHA.1460@xxxxxxxxxxxxxxxxxxxxxxx


"Bruce Sanderson" <bsanders@xxxxxxxxxxxxx> wrote in message news:OEXVSMJFJHA.5060@xxxxxxxxxxxxxxxxxxxxxxx
I've worked with the Windows Firewall since it was introduced in Windows XP SP2 and Windows 2008 since it went to beta.

But, now I'm confused (the system is working fine - its just that netsh appears to give inconsistent results - see question at the end of this post).

The server is running Windows Server 2008 64 bit with Hyper-V. In the "parent" VM, I have AD Domain Services and WSUS installed with the firewall configured via GPO (this is a small domain I have at home for testing etc.).

If I run the Start, Administrative Tools, Windows Firewall with Advanced Security it tells me:
For your security, some settings are controlled by Group Policy
Domain Profile is Active
Windows Firewall is on.
Inbound connections that do not match a rule are blocked
Outbound connections that do not match a a rule are allowed

If I run Control Panel, Windows Firewall, it tells me:
For your security, some settings are controlled by Group Policy
Windows Firewall is on.
Inbound connections that do not have an exception are blocked.
Display a notification when a program is blocked: Yes
Network Location: Domain network

If I click Change Settings, the Windows Firewall Settings dialog tells me:
For your security, some settings are controlled by Group Policy
the On radio button is selected, but grayed out
the Exceptions tab shows several exceptions, some set by Group Policy and some set locally
[I've allowed local exceptions in the Group Policy]

If I run this command (I get the same result in a "normal" and "elevated" command prompt window)

netsh firewall show state

I get this:

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable

Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
500 UDP Any (null)
4500 UDP Any (null)
88 UDP Any (null)
88 TCP Any (null)
80 TCP Any (null)
53212 TCP Any (null)
53211 TCP Any (null)
53 UDP Any (null)
53 TCP Any (null)
389 UDP Any (null)
389 TCP Any (null)
3268 TCP Any (null)
123 UDP Any (null)

All of the above conforms to my understanding of what I have configured.

If I run this command (I get the same result in a "normal" and "elevated" command prompt window)

netsh advfirewall show currentprofile

I get this:

Domain Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable

Logging:
LogAllowedConnections Enable
LogDroppedConnections Enable
FileName C:\Windows\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096

Ok.

So what does "State OFF" mean when all other indications are that the firewall is ON?

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.




That definitely doesn't look right. I just ran the same command on this machine (Vista in a workgroup) and the output shows

Private Profile Settings:

State ON

If I disable the firewall from the GUI it changes to OFF.

It could have something to do with Hyper-V. Do you have a virtual network linked to the NIC? This makes pretty major changes to the way the NIC works. The host actually connects to the network through the virtual switch.

Microsoft actually recommends that you do not run any role except Hyper-V in the parent partition.

.