{"id":1549,"date":"2018-11-12T01:00:00","date_gmt":"2018-11-12T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp\/"},"modified":"2024-12-17T03:19:49","modified_gmt":"2024-12-17T03:19:49","slug":"windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp\/","title":{"rendered":"Windows Firewall Behaviour in Windows 10 VDI and Windows Server 2016 w\/ Citrix XenApp"},"content":{"rendered":"

Persistent firewall rules in Server 2016 & Windows 10<\/h3>\n

Firewalls are implemented in an attempt to reduce the impact of malicious attacks across an organisation, but they always come at a price.\u00a0 This can be from significantly increasing the configuration requirements across an environment to the point where everything is locked down so tight it makes implementing solutions cumbersome and troubleshooting even harder, to impacting performance of the systems where it is enabled.<\/p>\n

In the many deployments we deliver each year, we recommend the Windows Firewall (now known as \u2018Windows Defender\u2019) service is enabled and active with rules on the machines to allow communication between them and the other services they interact with, although not so locked down there can be absolutely no other communications.<\/p>\n

With the latest release of Microsoft Operating systems platforms, a key feature has been introduced called \u2018App packages\u2019, or \u2018Modern Apps\u2019, which come bundled with the O\/S and are part of the Microsoft Modern App strategy.\u00a0 These new applications have introduced an issue within the Windows Defender service that can cause significant performance impact to the hosting systems, or connecting users, as well as impacting any troubleshooting of the firewall service.<\/p>\n

Every App Package has a unique identifier (SID) which is used by Windows defender to filter the modern apps. This \u00a0can be on done based on UserID, Protocol or other conditions. This sounds logical and the package by package feature allows for great targeting of the firewall rules, and the App Packages automatically write their own rules to the firewall for each application at the start of the user session.<\/p>\n

The issue is that the App packages don\u2019t remove the rules that they placed in to the firewall at the end of a user session, nor do they reuse the rules on a second login of the same user.\u00a0 This can result in a single user creating hundreds of rules in the firewall for applications that are not required, worse still is that they are Any\/Any rules.<\/p>\n

\"\"<\/p>\n

Running the Xbox live services on a Windows 2016 server is unnecessary, unless your gaming laptop has just died the night before a Fortnight friend battle so removing these seems sensible.\u00a0 On all deployments of Citrix we implement, we use the Citrix optimiser toolkit (https:\/\/support.citrix.com\/article\/CTX224676<\/a>) on the target servers and disable a number of the services that don\u2019t need to be active in Enterprise environments, but there are a number that need to be there which include individual user-based firewall rules for the app package.<\/p>\n

For most systems, the optimisation is enough to limit the impact of the user rules, but in some instances this is not the case.\u00a0 In Citrix XenApp or Microsoft RDS systems, where a high number of users connect to single server, the number of rules created can get out of control and impact performance.<\/p>\n

This may not result in a major performance impact straight away on a system but has the potential to impact systems over time as well as impact troubleshooting issues as the rules are not removed by the OS when the user\u2019s logout, or if the same user logs in to the server again.<\/p>\n

\"\"<\/p>\n

An example of the potential impact is that the svchost.exe process consumes an excessive amount of compute on the server in dealing with all the rules it has to process.<\/p>\n

Microsoft have not announced a \u2018patch\u2019 for Windows 10 and Windows Server 2016, but we are monitoring the blogs and feeds and hopefully they will release something later this year. For environments needing to clean up the rules now, there is little option other than running a scheduled task with a PowerShell script.<\/p>\n

To get a picture of what apps are automatically creating firewall rules , open \u201cC:WindowsSystemApps\u201d<\/p>\n

\"\"<\/p>\n

Four of the main culprits for the bloat of rules are:<\/p>\n