asked on
Security log filling up with Failure Audits for behavior that should be allowed on the domain
We have a Windows domain managed by 2 Server 2003 Domain Controllers
As of a couple days ago, the Security Event Logs have been filling up with messages on all the workstations on the network.
Here is a typical entry:
"
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.
Process identifier: 1224
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3796
Allowed: No
User notified: No
"
Most of the messages indicated lsass.exe is the application responsible, but some indicate svchost.exe, also in the WINDOWS/system32 directory.
What seems strange to me is that the Windows Firewall on these machines is disabled. LSASS ought to be listening for incoming traffic since it's the service that does authentication for our domain's logins. .
There was no known change in domain policy that predicated the appearance of these messages.
We are also seeing this message in the System log:
"
The Security System could not establish a secured connection with the server ldap/server-name.domain.in
"
We have two DCs, and these errors are pointing variously to each of them.
and also
"
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
"
Seems reasonable to me that those messages would be related to the issue since Firewall settings are maintained by group policy - however the group policy does seem to be applied to these machines since their firewalls are in the state dictated by GP.
As of a couple days ago, the Security Event Logs have been filling up with messages on all the workstations on the network.
Here is a typical entry:
"
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.
Process identifier: 1224
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3796
Allowed: No
User notified: No
"
Most of the messages indicated lsass.exe is the application responsible, but some indicate svchost.exe, also in the WINDOWS/system32 directory.
What seems strange to me is that the Windows Firewall on these machines is disabled. LSASS ought to be listening for incoming traffic since it's the service that does authentication for our domain's logins. .
There was no known change in domain policy that predicated the appearance of these messages.
We are also seeing this message in the System log:
"
The Security System could not establish a secured connection with the server ldap/server-name.domain.in
"
We have two DCs, and these errors are pointing variously to each of them.
and also
"
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
"
Seems reasonable to me that those messages would be related to the issue since Firewall settings are maintained by group policy - however the group policy does seem to be applied to these machines since their firewalls are in the state dictated by GP.
DatabasesWindows Server 2003Active Directory
Last Comment
ryansoto