This is part two in my series on Windows Firewall failing to start. In part one, I covered Windows XP and gave an overview of the issues seen in Windows Vista and Windows 7. As discussed, there can be several causes that will prevent the firewall from starting. In this post, I will cover specifics of checking the logon permissions.
First you should verify that the "Log on as:" account is set to Local Service. The Base Filtering Engine, Windows Firewall, and NLA services should all be set to Log on as the "Local Service" account. I'm only including one screenshot as an example because it is the same for all of the services that use Local Service. Note that the Password fields are ignored for this account. For more information on the Local Service account, refer to http://msdn.microsoft.com/en-us/library/ms684188(VS.85).aspx.
IPsec Policy agent uses the "Network Service" account.
Next we will want to verify the security descriptor definition language string, or SDDL string. This string defines the string format that the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a text string. Refer to http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx for more information.
We can use SC SDSHOW to show the SDDL string for the services of interest.
Syntax: sc sdshow <Service Name>
Note: You will want to run this command against a working machine in your environment for comparison but here are the default settings from a clean install.
Service Name: NLASVC
Service Name: BFE
Service Name: MPSSVC
Service Name: SharedAccess
You can restore the default permissions via the SDDL strings above or get similar data from a working machine in your own environment.
SC sdset <Service Name> <SDDL string>
SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Notice that the end of each is SY = Local System, BA = Administrator, AU = Authenticated Users, PU = Power Users
In the next installment of this series, I will cover registry permissions as related to Windows Firewall.
- David Pracht