Avatar of Demolay
Flag for United States of America

asked on 

Security log filling up with Failure Audits for behavior that should be allowed on the domain

We have a Windows domain managed by 2 Server 2003 Domain Controllers

As of a couple days ago, the Security Event Logs have been filling up with messages on all the workstations on the network.  

Here is a typical entry:

The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 1224
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3796
Allowed: No
User notified: No
Most of the messages indicated lsass.exe is the application responsible, but some indicate svchost.exe, also in the WINDOWS/system32 directory.

What seems strange to me is that the Windows Firewall on these machines is disabled.  LSASS ought to be listening for incoming traffic since it's the service that does authentication for our domain's logins. .

There was no known change in domain policy that predicated the appearance of these messages.  

We are also seeing this message in the System log:

The Security System could not establish a secured connection with the server ldap/server-name.domain.internal/domain.internal@domain.internal.  No authentication protocol was available.

We have two DCs, and these errors are pointing variously to each of them.  

and also

Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Seems reasonable to me that those messages would be related to the issue since Firewall settings are maintained by group policy - however the group policy does seem to be applied to these machines since their firewalls are in the state dictated by GP.
DatabasesWindows Server 2003Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon