scarlet21
asked on
IPSec error in event viewer
I keep getting this error in event viewer on my Windows XP Home.
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.
It says this could be a potential security hazard.
Could someone please help me with this.
Thank You.
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.
It says this could be a potential security hazard.
Could someone please help me with this.
Thank You.
Do you have a modem connected to your computer?
If so, be sure to install a driver compatible with Windows XP
If so, be sure to install a driver compatible with Windows XP
ASKER
Thank you for the comments.
I was able to start the IPSec Monitor but couldn't see it working.
At http://support.microsoft.com/?id=324269
it says we should have 2 computers. And I don't have 2.
I do have a modem connected to my computer. And its been working fine for
more than a year now.
what should I do now?
Thanks,
Scarlet
I was able to start the IPSec Monitor but couldn't see it working.
At http://support.microsoft.com/?id=324269
it says we should have 2 computers. And I don't have 2.
I do have a modem connected to my computer. And its been working fine for
more than a year now.
what should I do now?
Thanks,
Scarlet
In your eventviewer the source is IPSec Services, but what is the event number ?
Maybe we are fighting nothing if you don't have 2 computers (server and workstation on a domain).
According to http://support.microsoft.com/?id=324269 and http://www.analogx.com/contents/articles/ipsec.htm and as you answered ipsec policy is used to create secure connections between 2 computers.
Maybe the error disappears if you restores the default IPSec policy (according to http://support.microsoft.com/?id=324269):
To restore the default IPSec policies on each computer:
Right-click the IP Security Policies node in the left pane, point to All Tasks, and then click Restore Default Policies.
Click Yes when you receive the "Are you sure?" message.
Click OK to confirm that the default policies have been returned to their default values.
According to http://support.microsoft.com/?id=324269 and http://www.analogx.com/contents/articles/ipsec.htm and as you answered ipsec policy is used to create secure connections between 2 computers.
Maybe the error disappears if you restores the default IPSec policy (according to http://support.microsoft.com/?id=324269):
To restore the default IPSec policies on each computer:
Right-click the IP Security Policies node in the left pane, point to All Tasks, and then click Restore Default Policies.
Click Yes when you receive the "Are you sure?" message.
Click OK to confirm that the default policies have been returned to their default values.
ASKER
Here are the specific details from Event Viewer:
Source: Security
Category: Policy Change
Type: Failure Aud
Event ID: 615
User: NT AUTHORITY\NETWORK SERVICE
I am sorry to say but I couldn't find the "IP Security Policies node in the left pane..."
Could you please tell me exactly where I can find this.
Thanks.
Source: Security
Category: Policy Change
Type: Failure Aud
Event ID: 615
User: NT AUTHORITY\NETWORK SERVICE
I am sorry to say but I couldn't find the "IP Security Policies node in the left pane..."
Could you please tell me exactly where I can find this.
Thanks.
1. Start / Run
2. Input GPEDIT.MSC
3. Press Enter
4. Choose Local Computer Policy
5. Choose Computer Configuration
6. Choose Windows Settings
7. Choose Security Settings
8. RightClick IP Security Policies on Local Machine
9. Choose All Tasks
10. Choose Restore Default policies
....
do the same (5-10) with User Configuration
...
BTW - are you logged on as member of the local admin group ?
1. Start / Run / CMD
2. Press ENTER
3. Input NET LOCALGROUP ADMINISTRATORS
4. Press ENTER
Because - According to http://www.microsoft.com/technet/security/issues/w2kccscg/w2kscgcb.asp 615 says:
TRANSFER_PROT_EX IPSEC related events
Category: Policy change
615 – IPSec policy agent encountered a potentially serious failure.
And you can't change policy if you ain't member of local admin group.
2. Input GPEDIT.MSC
3. Press Enter
4. Choose Local Computer Policy
5. Choose Computer Configuration
6. Choose Windows Settings
7. Choose Security Settings
8. RightClick IP Security Policies on Local Machine
9. Choose All Tasks
10. Choose Restore Default policies
....
do the same (5-10) with User Configuration
...
BTW - are you logged on as member of the local admin group ?
1. Start / Run / CMD
2. Press ENTER
3. Input NET LOCALGROUP ADMINISTRATORS
4. Press ENTER
Because - According to http://www.microsoft.com/technet/security/issues/w2kccscg/w2kscgcb.asp 615 says:
TRANSFER_PROT_EX IPSEC related events
Category: Policy change
615 – IPSec policy agent encountered a potentially serious failure.
And you can't change policy if you ain't member of local admin group.
Now I'm getting closer to your problem. It's maybe a user being added to the local admin group
To find out:
1. Start / Run / CMD
2. Press ENTER
3. Input NET LOCALGROUP ADMINISTRATORS
4. Press ENTER
Event Message: IPSec policy agent encountered a potentially serious failure. text
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/w2kmsgs/5446.asp
only describes 616 not 615, but they are close to another according to http://www.microsoft.com/technet/security/issues/w2kccscg/w2kscgcb.asp
To find out:
1. Start / Run / CMD
2. Press ENTER
3. Input NET LOCALGROUP ADMINISTRATORS
4. Press ENTER
Event Message: IPSec policy agent encountered a potentially serious failure. text
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/w2kmsgs/5446.asp
only describes 616 not 615, but they are close to another according to http://www.microsoft.com/technet/security/issues/w2kccscg/w2kscgcb.asp
If my guess about the local admin group (a user trying to be added), you've probably being hacked
Use this free online Trend Housecall scannner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp
Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp
If you want to secure your one workstation in the future, consider to purchase PC-cillin with builtin firewall:
http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
If you want to secure your company's workstations in the future, consider to purchase OfficeScan:
http://www.trendmicro.com/en/products/desktop/osce/evaluate/features.htm
If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from
http://www.trendmicro.com/en/products/global/enterprise.htm
Review of the best antivirus solutions:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html?tag=dir-av&pn=1&ob=3&qt=&qn=&F2=0&F3=0&sm=0
Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za
Use this free online Trend Housecall scannner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp
Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp
If you want to secure your one workstation in the future, consider to purchase PC-cillin with builtin firewall:
http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
If you want to secure your company's workstations in the future, consider to purchase OfficeScan:
http://www.trendmicro.com/en/products/desktop/osce/evaluate/features.htm
If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from
http://www.trendmicro.com/en/products/global/enterprise.htm
Review of the best antivirus solutions:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html?tag=dir-av&pn=1&ob=3&qt=&qn=&F2=0&F3=0&sm=0
Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za
ASKER
I was not able to run GPEDIT.MSC.
I got an error:
"Windows cannot find 'GPEDIT.MSC'. Make sure you typed the name
correctly and then try again. To search for a file, click the start button
and then click search"
I am the administartor on my system. Also I am the only user.
When I did:
1. Start / Run / CMD
2. Press ENTER
3. Input NET LOCALGROUP ADMINISTRATORS
4. Press ENTER
I was the only administrator listed.
I do have ZoneAlarm firewall installed right when I started using my modem.
Thank you for your time to help me with this.
I got an error:
"Windows cannot find 'GPEDIT.MSC'. Make sure you typed the name
correctly and then try again. To search for a file, click the start button
and then click search"
I am the administartor on my system. Also I am the only user.
When I did:
1. Start / Run / CMD
2. Press ENTER
3. Input NET LOCALGROUP ADMINISTRATORS
4. Press ENTER
I was the only administrator listed.
I do have ZoneAlarm firewall installed right when I started using my modem.
Thank you for your time to help me with this.
ASKER
Just wanted to inform you once again that I am using Windows XP Home.
When I searched the web for gpedit.msc, it was given that it works only on
Windows XP Professional.
I don't know about the work around for Home.
When I searched the web for gpedit.msc, it was given that it works only on
Windows XP Professional.
I don't know about the work around for Home.
ASKER
I have noticed another important thing.
As soon as I disconnect from the internet, I get the IPSec error in event viewer.
I don't know why is this happening.
thanks.
As soon as I disconnect from the internet, I get the IPSec error in event viewer.
I don't know why is this happening.
thanks.
I don't have xp home my self, but you should be able to locate the "gpedit.msc" snap-in in control panel, under administration / local security policy
The IPSec error when disconnecting from internet also confirms my guess about the local admin group (a user trying to be added), you've probably being hacked
Please run http://housecall.trendmicro.com/housecall/start_corp.asp
The IPSec error when disconnecting from internet also confirms my guess about the local admin group (a user trying to be added), you've probably being hacked
Please run http://housecall.trendmicro.com/housecall/start_corp.asp
ASKER
I searched for gpedit.msc but couldn't find it. And when I searched the web, it says specifically that Home doesn't have this feature.
Could you please tell if regedit could be of any use in this case.
I am really scared that my system is being hacked and I don't know by whom and when.
can you help me to fix this.
thanks.
Could you please tell if regedit could be of any use in this case.
I am really scared that my system is being hacked and I don't know by whom and when.
can you help me to fix this.
thanks.
Forget about security settings on xp home edition, as you found out yourself, it's not part of windows xp home edition.
Windows XP Security Checklist
http://www.labmice.net/articles/winxpsecuritychecklist.htm
BTW - you don't have to do all the things in the checklist, it's only to tell you, that you're right about gpedit.msc (because I did'nt have xp home edition on my computer).
Did you run http://housecall.trendmicro.com/housecall/start_corp.asp
Windows XP Security Checklist
http://www.labmice.net/articles/winxpsecuritychecklist.htm
BTW - you don't have to do all the things in the checklist, it's only to tell you, that you're right about gpedit.msc (because I did'nt have xp home edition on my computer).
Did you run http://housecall.trendmicro.com/housecall/start_corp.asp
Well - just stating that you should forget about security settings in xp home, I just found this
Using administrative tools in Microsoft Management Console
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/app_misc_pr_load_snapin.asp
Using IP Security Policy Management
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/snap_ipsec.asp
Using administrative tools in Microsoft Management Console
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/app_misc_pr_load_snapin.asp
Using IP Security Policy Management
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/snap_ipsec.asp
BTW
1. Start
2. Choose RUN
3. Input MMC
4. Press ENTER
and adding IP Security Policy Management snap-in as told in http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/snap_ipsec.asp
Gives you the same tool as I answered 05/25/2003 11:27PM CEST
Start / Run / gpedit.msc
1. Start
2. Choose RUN
3. Input MMC
4. Press ENTER
and adding IP Security Policy Management snap-in as told in http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/snap_ipsec.asp
Gives you the same tool as I answered 05/25/2003 11:27PM CEST
Start / Run / gpedit.msc
ASKER
I did run http://housecall.trendmicro.com/housecall/start_corp.asp and there were no infected files, virus or anything...
I was able to add IP Security Policy Management snap-in.
On Left pane:
IP Security Policies on Local Computer
This is exactly what I have in the right pane:
Client (Respond Only)
Secure Server (Require Security)
Server (Require Security)
When I right click the Client, I have:
Assign
All tasks-> Assign
Delete
Rename
Properties
Help
I have no idea what assign would do.
Do you know?
I was able to add IP Security Policy Management snap-in.
On Left pane:
IP Security Policies on Local Computer
This is exactly what I have in the right pane:
Client (Respond Only)
Secure Server (Require Security)
Server (Require Security)
When I right click the Client, I have:
Assign
All tasks-> Assign
Delete
Rename
Properties
Help
I have no idea what assign would do.
Do you know?
1. Start IP Security Policy Management snap-in
2. RightClick IP Security Policies on Local Computer
3. Choose All Tasks
4. Choose Restore Default policies
....
do the same (2-4) with User Configuration
2. RightClick IP Security Policies on Local Computer
3. Choose All Tasks
4. Choose Restore Default policies
....
do the same (2-4) with User Configuration
The error your getting doesn't indicate you've been hacked (Sorry trywaredk, but there is simply not enough correlating information to draw that conclusion YET. You would need to at least correlate that with login auditing info and , if your setup for it, file access auditing information. In addition you should check your IPSEC enviroment for further clues).
The IPSEC policy "manager" applies or refreshes IPSEC policies at certain intervals. When your dialup connection is disconnected the "manager" can no longer apply IPSEC policy to that interface and gives you the warning your getting in the event viewer. ( this is my first conclusion and what I would check first)
So the questions to ask yourself is "Do you have any IPsec policies?" and "are they setup to be applied to your dialup connection?"
To check the last one, open the properties of your dialup connection and click the "networking" tab. Now highlight "Internet Protocol TCP/IP" and click "Properties". On the second window that opens click "advanced" and then click the "options" tab. Now highlight "IP security" and hit "properties" again. Make sure, on this 3rd page that "do not use IPsec" is clicked. Note: ONLY click this option if you wish NOT to use IPSEC for this connection).
If your NOT using IPSEC then you can disable all IPSEC "services" in the "Services" applet. Of course you'll have to manually enable them if you change your mind later.
To use the "IPSEC monitor" open your "run" box and type "MMC". Click "file" at the top of the window and then click " add/remove snapin". On the second window that opens click "add" and see if "IPSEC Security monitor" is listed. If it is click it and choose "add" and then "close" and then "ok" to add the plugin to your MMC console. ( I'll stop here..lets see if you even have the plugin first :) )
By default the IPSEC policies you see listed in the "Local security policy" applet ( client, server and secure server) are not enabled ( you should see "no" in the "policy assigned" colume). Is this what you see?
The IPSEC policy "manager" applies or refreshes IPSEC policies at certain intervals. When your dialup connection is disconnected the "manager" can no longer apply IPSEC policy to that interface and gives you the warning your getting in the event viewer. ( this is my first conclusion and what I would check first)
So the questions to ask yourself is "Do you have any IPsec policies?" and "are they setup to be applied to your dialup connection?"
To check the last one, open the properties of your dialup connection and click the "networking" tab. Now highlight "Internet Protocol TCP/IP" and click "Properties". On the second window that opens click "advanced" and then click the "options" tab. Now highlight "IP security" and hit "properties" again. Make sure, on this 3rd page that "do not use IPsec" is clicked. Note: ONLY click this option if you wish NOT to use IPSEC for this connection).
If your NOT using IPSEC then you can disable all IPSEC "services" in the "Services" applet. Of course you'll have to manually enable them if you change your mind later.
To use the "IPSEC monitor" open your "run" box and type "MMC". Click "file" at the top of the window and then click " add/remove snapin". On the second window that opens click "add" and see if "IPSEC Security monitor" is listed. If it is click it and choose "add" and then "close" and then "ok" to add the plugin to your MMC console. ( I'll stop here..lets see if you even have the plugin first :) )
By default the IPSEC policies you see listed in the "Local security policy" applet ( client, server and secure server) are not enabled ( you should see "no" in the "policy assigned" colume). Is this what you see?
GHOST_HACKER..."to draw that conclusion YET"
I did'nt draw a conclusion, I made a guess:
Comment from trywaredk Date: 05/25/2003 11:48PM CEST:
"If my guess about the local admin group (a user trying to be added), you've probably being hacked"
Anyway - It's better to exclude some of the "maybe's" to get nearer the solution for SCARLET21
GHOST_HACKER..."lets see if you even have the plugin first"
Comment from scarlet21 Date: 05/25/2003 10:39PM CEST:
"I was able to start the IPSec Monitor but couldn't see it working.
At http://support.microsoft.com/?id=324269 it says we should have 2 computers. And I don't have 2."
SCARLET21
:o) Sorry that we uses your thread to this.
But you should definitely try GHOST_HACKER's guess about IPsec policies are applied to your dialup connection
Here's a good description of it (but it talk's about netcard instead of dialup connection)
HOW TO: Securing Data in Transit with IPSec
http://www.windowsecurity.com/articles/Securing_Data_in_Transit_with_IPSec.html
I did'nt draw a conclusion, I made a guess:
Comment from trywaredk Date: 05/25/2003 11:48PM CEST:
"If my guess about the local admin group (a user trying to be added), you've probably being hacked"
Anyway - It's better to exclude some of the "maybe's" to get nearer the solution for SCARLET21
GHOST_HACKER..."lets see if you even have the plugin first"
Comment from scarlet21 Date: 05/25/2003 10:39PM CEST:
"I was able to start the IPSec Monitor but couldn't see it working.
At http://support.microsoft.com/?id=324269 it says we should have 2 computers. And I don't have 2."
SCARLET21
:o) Sorry that we uses your thread to this.
But you should definitely try GHOST_HACKER's guess about IPsec policies are applied to your dialup connection
Here's a good description of it (but it talk's about netcard instead of dialup connection)
HOW TO: Securing Data in Transit with IPSec
http://www.windowsecurity.com/articles/Securing_Data_in_Transit_with_IPSec.html
heheheh....I'm not attacking you trywaredk. Sorry you took it that way. :)
But I'll leave you to it now.
Good Luck :)
But I'll leave you to it now.
Good Luck :)
Oh one other note.....
Look into dialup "IPsec" in winXp. (it's different than with 2000 in terms of where the information is stored)
Good Luck Guys :)
Look into dialup "IPsec" in winXp. (it's different than with 2000 in terms of where the information is stored)
Good Luck Guys :)
GHOST_HACKER..."Sorry you took it that way"
;o) I was just trying to answer you, not fight with you. I'm not offended, only trying to help SCARLET21
;o) I was just trying to answer you, not fight with you. I'm not offended, only trying to help SCARLET21
ASKER
GHOST_HACKER:
I was able to add the IPSec monitor plugin. And you were right, I see "no" in the "policy assigned" column.
This is what I was able to do:
open the properties of your dialup connection and click the "networking" tab. Now highlight "Internet Protocol TCP/IP" and click "Properties". On the second window that opens click "advanced"
After this, in the third window (TCP/IP settings) I couldn't see the options tab...all I have is General, DNS and WINS
Am I going wrong anywhere?
I was able to add the IPSec monitor plugin. And you were right, I see "no" in the "policy assigned" column.
This is what I was able to do:
open the properties of your dialup connection and click the "networking" tab. Now highlight "Internet Protocol TCP/IP" and click "Properties". On the second window that opens click "advanced"
After this, in the third window (TCP/IP settings) I couldn't see the options tab...all I have is General, DNS and WINS
Am I going wrong anywhere?
ASKER
Hi,
I was waiting for a response from either of you (trywaredk, ghost_hacker).
Hope you will help me solve my problem.
Thank you for your time.
Scarlet
I was waiting for a response from either of you (trywaredk, ghost_hacker).
Hope you will help me solve my problem.
Thank you for your time.
Scarlet
I don't have xp home on any of my computers, so I can't do a simualted test of what your problem is.
:o) Maybe GHOST_HACKER can ?
:o) Maybe GHOST_HACKER can ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have come across the same problem myself and would like to know if someone has the 'correct' answer to this problem.
Why do we get this IPsec error in the event viewer?
Why do we get this IPsec error in the event viewer?
I think I solved this problem (client side):
Start > Run > Regedt32
Hkey_Local_Machine > System > CurrentControlSet
PolicyAgent > DependsOnService
add the following service (without quotes) "upnphost"
Close the registry editor & restart.
Start > Run > Regedt32
Hkey_Local_Machine > System > CurrentControlSet
PolicyAgent > DependsOnService
add the following service (without quotes) "upnphost"
Close the registry editor & restart.
http://support.microsoft.com/?id=324269
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open