Microsoft have not announced a ‘patch’ for Windows 10 and Windows Server 2016, but we are monitoring the blogs and feeds and hopefully they will release something later this year. This may not result in a major performance impact straight away on a system but has the potential to impact systems over time as well as impact troubleshooting issues as the rules are not removed by the OS when the user’s logout, or if the same user logs in to the server again.Īn example of the potential impact is that the svchost.exe process consumes an excessive amount of compute on the server in dealing with all the rules it has to process. In Citrix XenApp or Microsoft RDS systems, where a high number of users connect to single server, the number of rules created can get out of control and impact performance.
On all deployments of Citrix we implement, we use the Citrix optimiser toolkit ( ) on the target servers and disable a number of the services that don’t need to be active in Enterprise environments, but there are a number that need to be there which include individual user-based firewall rules for the app package.įor most systems, the optimisation is enough to limit the impact of the user rules, but in some instances this is not the case. Running the Xbox live services on a Windows 2016 server is unnecessary, unless your gaming laptop has just died the night before a Fortnight friend battle so removing these seems sensible. This can result in a single user creating hundreds of rules in the firewall for applications that are not required, worse still is that they are Any/Any rules. The issue is that the App packages don’t remove the rules that they placed in to the firewall at the end of a user session, nor do they reuse the rules on a second login of the same user. This sounds logical and the package by package feature allows for great targeting of the firewall rules, and the App Packages automatically write their own rules to the firewall for each application at the start of the user session. This can be on done based on UserID, Protocol or other conditions. These new applications have introduced an issue within the Windows Defender service that can cause significant performance impact to the hosting systems, or connecting users, as well as impacting any troubleshooting of the firewall service.Įvery App Package has a unique identifier (SID) which is used by Windows defender to filter the modern apps. With the latest release of Microsoft Operating systems platforms, a key feature has been introduced called ‘App packages’, or ‘Modern Apps’, which come bundled with the O/S and are part of the Microsoft Modern App strategy. In the many deployments we deliver each year, we recommend the Windows Firewall (now known as ‘Windows Defender’) service is enabled and active with rules on the machines to allow communication between them and the other services they interact with, although not so locked down there can be absolutely no other communications. This can be from significantly increasing the configuration requirements across an environment to the point where everything is locked down so tight it makes implementing solutions cumbersome and troubleshooting even harder, to impacting performance of the systems where it is enabled. Persistent firewall rules in Server 2016 & Windows 10įirewalls are implemented in an attempt to reduce the impact of malicious attacks across an organisation, but they always come at a price.