This is part two in my series on Windows Firewall failing to start. In part one, I covered Windows XP and gave an overview of the issues seen in Windows Vista and Windows 7. As discussed, there can be several causes that will prevent the firewall from starting. In this post, I will cover specifics of checking the logon permissions.

Checking Logon Permissions

First you should verify that the "Log on as:" account is set to Local Service. The Base Filtering Engine, Windows Firewall, and NLA services should all be set to Log on as the "Local Service" account. I'm only including one screenshot as an example because it is the same for all of the services that use Local Service. Note that the Password fields are ignored for this account. For more information on the Local Service account, refer to http://msdn.microsoft.com/en-us/library/ms684188(VS.85).aspx.

clip_image001

IPsec Policy agent uses the "Network Service" account.

clip_image002

Next we will want to verify the security descriptor definition language string, or SDDL string. This string defines the string format that the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a text string. Refer to http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx for more information.

We can use SC SDSHOW to show the SDDL string for the services of interest.

Syntax: sc sdshow <Service Name>

Note: You will want to run this command against a working machine in your environment for comparison but here are the default settings from a clean install.

Windows 7 default installation

Service Name: NLASVC

D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A

;;CCLCSWRPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPRC;;;S-1-5-80-3141615172-2

057878085-1754447212-2405740020-3916490453)

Service Name: BFE

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Service Name: MPSSVC

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR

RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754

844-3404434343-1444102779)S:(AU;FA;CCDCKCSWRPWPDTLOCRSDRCWDWO;;;WD)

Service Name: SharedAccess

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Windows Vista default installation

Service Name: NLASVC

D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A

;;CCLCSWRPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPRC;;;S-1-5-80-3141615172-2

057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Service Name: BFE

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Service Name: MPSSVC

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR

RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754

844-3404434343-1444102779)S:(AU;FA;CCDCKCSWRPWPDTLOCRSDRCWDWO;;;WD)

Service Name: SharedAccess

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Using SC SDSET to set the SDDL string

You can restore the default permissions via the SDDL strings above or get similar data from a working machine in your own environment.

SC sdset <Service Name> <SDDL string>

Example:

SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Notice that the end of each is SY = Local System, BA = Administrator, AU = Authenticated Users, PU = Power Users

What’s next?

In the next installment of this series, I will cover registry permissions as related to Windows Firewall.

- David Pracht