Home page
Articles for Windows, Linux, OS X
Mac tips and articles
Mac tips
Windows 8 tips and articles
Windows 7 tips and articles
Vista Tips
XP Tips
Linux tips and articles
Read the blog
Online store
Windows, Linux, OS X programs

Windows Vista Firewall Part 3: Lockdown

Part 1 | Part 2 | Part 3

Logging activity

There is quite a lot in Windows Firewall with Advanced Security and we have only really scratched the surface. However, we have covered most of what most people need to know. Security experts that have specific requirements or needs can access many advanced functions, but they aren't important to the average user.

One feature you might want to explore is logging. Windows Firewall can keep a record of certain types of activity and the details are written to a file called pfirewall.log. It's a plain text file and it can be viewed in Notepad if you want to see what security events have occurred recently. The log is not kept by default, but it is easy to turn on the feature.

Select the item at the top of the left-hand column, Windows Firewall with Advanced... and then click the Windows Firewall Properties link in the middle pane. Select a profile tab, such as Private Profile (commonly used with home PCs), and click the Customize button in the Logging section. Here you can see the log file and the default is C:\Windows\system32\LogFiles\Firewall\pfirewall.log, assuming Vista is installed on Drive C. The size limit is 4,096 KB and this is 4Mb. Entries are added to the log and when the size of the file reaches 4Mb, the oldest entries are deleted to make room for new ones, so the size never exceeds the limit. You can change the size, but there is really no need and 4,096 KB is fine.

Windows Firewall

Two types of events can be logged - dropped packets and successful connections. Both are set to No (default) when you install Vista, but you can click either one or both and set them to Yes. Dropped packets occur when an unauthorised person or program tries to access your computer and the firewall blocks them or it. This might be a malicious person - a hacker - or a malicious program like a virus, but not always and there's always a bit of background activity when you are connected to the internet for various reasons. Successful connections can be logged so that you can check which programs are using the internet. Legitimate programs will be logged along with any malware and determining which is OK and which isn't really needs expert knowledge because it isn't always obvious.

After turning the two logging options on, close the dialogs with the OK buttons and use the internet for a while. In Windows Firewall with Advanced Security, select the Monitoring item in the left-hand pane and you will see the settings in the middle pane. In the Logging settings section is the filename of the log file - click it and Windows Notepad will open and display the log. It will look something like this:

Windows Firewall

The #Fields line tells you what each item is, so the first item is the date, the second is the time, this is followed by the action, protocol, source IP address, destination IP address and so on. Spotting anomalies in the log file really takes a trained eye.

Part 3, go to previous page


Bookmark and Share

delicious (1K) del.icio.us