Consider the following scenario:

  • On a computer that is running Windows Vista or Windows Server 2008, you disable Windows Firewall for the Domain profile, the Private profile and the Public profile.
  • You enable the “Filtering Platform Connection” audit policy.

In this scenario, the following Event ID 5159 is logged many times in the Security event log:

Log Name:      Security 
Source:        Microsoft-Windows-Security-Auditing 
Event ID:      5159 
Task Category: Filtering Platform Connection 
Level:         Information 
Keywords:      Audit Failure 
User:          N/A 
The Windows Filtering Platform has blocked a bind to a local port.
Application Information: 
        Process ID:             process ID 
        Application Name:       %path to some application%
Network Information: 
        Source Address:         IP address 
        Source Port:            port number
        Protocol:               17 
Filter Information: 
        Filter Run-Time ID:     0 
        Layer Name:             Resource Assignment 
        Layer Run-Time ID:      36

These events quickly fill the Security event log. Because of the large number of entries in the Security event log, it is difficult to monitor audit failures.

Leave a Reply