cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kimberlee
Engaged Sweeper

Is there a report that will show if Windows Defender Firewall is Enabled or Disabled?

7 REPLIES 7
rader
Champion Sweeper III

Probably. These reports scan the Microsoft Event Security logs looking for Eventcode = 5025 for the past 7 days. I believe it was written looking at the Microsoft firewall. If your firewall posts events there, and there 5025, then it should find them.

Chances are that you'll have to find where your firewall writes events out, find the code and adjust the report to scour those logs for the firewall status. 

Good luck.

rader
Champion Sweeper III

Nothing in the reports is a good thing. It means that the services are enabled and running.

If something shows, it's either disabled or stopped.

That's what has me confused.  We have the firewall disabled on our network but nothing is showing in the report. 

rader
Champion Sweeper III

Just to confirm the report is accurate I tested it on a Windows 7 VM with the Firewall disabled on all network models (Domain to Public) and also disabled in the services. Both reports reflected the disabled and off states properly. 

See when the last scan took place and whether or not there were errors scanning the asset.

I performed a scan last Tuesday and the scan will run tonight.  We do have a 3rd party firewall, will that make a difference?

rader
Champion Sweeper III

I think I got these from Lansweeper somewhere.

Windows Firewall Service Disabled Query

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblNtlog.Eventcode,
  tblNtlogSource.Sourcename,
  tblNtlogMessage.Message,
  tblNtlog.TimeGenerated,
  Case
    When tblErrors.ErrorText Is Not Null Or
      tblErrors.ErrorText != '' Then
      'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
    Else ''
  End As ScanningErrors,
  tblAssets.Lastseen,
  tblAssets.Lasttried
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
      tblAssets.LocationID
  Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
      tblNtlog.SourcenameID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
      Max(tblErrors.Teller) As ErrorID
    From tblErrors
    Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
      ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
      tblErrors.ErrorType
Where tblNtlog.Eventcode = 5025 And tblNtlog.TimeGenerated > GetDate() - 7 And
  tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName

Windows Firewall Service Stopped Event Query

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblNtlog.Eventcode,
  tblNtlogSource.Sourcename,
  tblNtlogMessage.Message,
  tblNtlog.TimeGenerated,
  Case
    When tblErrors.ErrorText Is Not Null Or
      tblErrors.ErrorText != '' Then
      'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
    Else ''
  End As ScanningErrors,
  tblAssets.Lastseen,
  tblAssets.Lasttried
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
      tblAssets.LocationID
  Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
      tblNtlog.SourcenameID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
      Max(tblErrors.Teller) As ErrorID
    From tblErrors
    Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
      ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
      tblErrors.ErrorType
Where tblNtlog.Eventcode = 5025 And tblNtlog.TimeGenerated > GetDate() - 7 And
  tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName

 

 

Thank you for your response.  If nothing shows on the report does that mean Firewall is Disabled?