Find Windows Firewalls That Are Disabled or Not Starting Automatically
Services are a core Windows function designed to enable the creation and management of long-running processes. The Windows firewall service is key to ensuring that users and applications are restricted in access a computer, monitoring or being alerted when this service isn’t started or is disabled is, therefore, key to the security of your endpoints. The report below provides a list of all Windows devices that have been rescanned in the last 7 days and have their Windows firewall service not running or have the start mode not set to automatic. Both of these are indicators of a problem.
This report is part of a Pro Tips blog post covering multiple ways of keeping an eye on your Windows firewall.
Windows Firewall Service Disabled Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblServicesUni.Caption As [Service Name],
tblServicesUni.Pathname As [Service Path],
tblServiceStartMode.StartMode As [Service Start Mode],
tblServiceState.State As [Service State],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
ServicesLastScanned.ServicesLastScanned,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner join tblServices on tblServices.AssetID = tblassets.AssetID
Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
tblServices.ServiceuniqueID
Inner Join tblServiceStartMode On tblServiceStartMode.StartID =
tblServices.StartID
Inner Join tblServiceState On tblServiceState.StateID =
tblServices.StateID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Left Join (Select Distinct Top 1000000 TsysLastscan.AssetID As ID,
TsysLastscan.Lasttime As ServicesLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Where TsysWaittime.CFGname = 'SERVICES') As ServicesLastScanned On
tblAssets.AssetID = ServicesLastScanned.ID
Where tblState.Statename = 'Active' and tblServicesuni.Name = 'MpsSvc' and ServicesLastScanned >= Getdate() -7
and (tblServiceStartMode.StartMode <> 'Auto' or tblServiceState.State <> 'Running')
Order By tblAssets.Domain,
tblAssets.AssetName