Cluster, Server, and Client Must Do for Troubleshooting: Enable Windows Firewall Logging

When we set up a greenfield Active Directory Forest and Domain we do the following in Group Policy:

  1. New Group Policy Object (GPO) Linked & Enforced at the domain Level: Default Domain Security Policy
  2. Enable Remote Desktop Inbound: Allow users to connect remotely by using Remote Desktop
    • image
  3. Enable the Windows Firewall for all three profiles
    • image
  4. Set up Logging!
    • Right click on WDFwAS and Properties
    • image
  5. Configure the firewall to allow RDP Services (TCP and UDP) from a set IP or IP addresses (Privileged Access Workstations and/or Jump Server)

When troubleshooting an issue the first place we can look is in the Windows Firewall Log:


Windows Defender Firewall with Advanced Security Log Location

There is no such thing as turning OFF the Windows Firewall it goes into a form of Limp Mode which may or may not improve the situation.

Why guess?

Click the log link in Monitoring and there we go either we’re going to see BLOCK or not or even nothing if the firewall hasn’t even blocked anything yet.

If there are BLOCK entries then we can work with the product vendor to set up the correct exceptions for _that_ system if a server or the clients if the block is at that end.

End the guesswork and keep client’s networks secure by keeping the Windows Defender Firewall with Advanced Security enabled and locked down for the Public profile (block all inbound by default).

Philip Elder
Microsoft High Availability MVP
Our Web Site
PowerShell and CMD Guides

Leave a comment

Your email address will not be published.