Consider the following scenario:
- On a computer that is running Windows Vista or Windows Server 2008, you disable Windows Firewall for the Domain profile, the Private profile and the Public profile.
- You enable the “Filtering Platform Connection” audit policy.
In this scenario, the following Event ID 5159 is logged many times in the Security event log:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Event ID: 5159 Task Category: Filtering Platform Connection Level: Information Keywords: Audit Failure User: N/A Description: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: process ID Application Name: %path to some application% Network Information: Source Address: IP address Source Port: port number Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36
These events quickly fill the Security event log. Because of the large number of entries in the Security event log, it is difficult to monitor audit failures.