Tuesday, April 25, 2023

Windows Firewall - network card not detecting the correct connection profile

For people familiar with Windows firewall, there are 3 profiles that you can create rules for: Private, Public, and Domain. The operating system uses the Network Location Awareness service (NLAsvc) to attempt to identify what type of connection each NIC is on. If you machine is domain joined to an Active directory on-prem domain, it will make connection attempts to domain controllers to see if a specific NIC can reach one. For other tests, it will try to connect to websites to see if there internet connectivity. The problem with windows firewall and its domain checks is that you might not have a well enough functioning network connection when the NLAsvc tries to perform its checks. On a domain controller, this is particularly problematic. To work around this you cand modify the service settings in the registry to add some additional service dependencies. This will delay the start up of the NLAsvc process and give the system more time to be ready for the checks. To do this, open regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc. Edit the "DependOnService" REG_MULTI_SZ value. For new entries, you will add one entry per line. The values you will want to add are: NSI, RpcSs, TcpIp, Dhcp, Eventlog, DNS, Netlogon.

There are some additional configurations you will want to push as well:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\AlwaysExpectDomainController (REG_DWORD) = 0x1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTTL (REG_DWORD) = 0x0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\NegativeCachePeriod (REG_DWORD) = 0x0

These will add some additional stability for NLA.

No comments:

Post a Comment