Security Audit Failure - The Windows Filtering Platform has blocked a connection.

I'm getting hundreds of events per minute in the event log / security.  I'm completely stumpted and can not figure out why this is happening.  Here's an example of the events :

The Windows Filtering Platform has blocked a connection.

Application Information:
      Process ID:            484
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            224.0.0.252
      Source Port:            5355
      Destination Address:      29.23.14.18
      Destination Port:            58459
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

---

The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            484
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            224.0.0.252
      Source Port:            5355
      Destination Address:      29.23.14.18
      Destination Port:            58459
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44
LVL 6
Shaun RiemanPresidentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
This may be caused by the Network Location Aware service on the clients - like Peer Resolution Services.

http://technet.microsoft.com/fr-fr/library/bb878128(en-us).aspx

It's a mechanism Vista, Win7 and server 2008 use to locate peers without using DNS.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun RiemanPresidentAuthor Commented:
This is a windows 2008 standard, web hosting server with Windows Advanced Firewall configured with default settings and a few port exeptions for FTP, HTTP, POP3 and SMTP.
0
Netman66Commented:
I understand, but what OS are your clients running?

This event could be letting you know the firewall is blocking Peer Resolution from the clients.  In Vista and Win7 you have the ability to turn on Network Discovery - which might be the traffic you are seeing blocked.

0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Shaun RiemanPresidentAuthor Commented:
Clients?  Huh?  This is not a DC, this is a dedicated web hosting server.  There are no clients.
0
Netman66Commented:
Ok then, is Network Discovery turned on in the server?  The advanced firewall is bi-directional, so I assume it would block the outbound discovery method also.
0
Shaun RiemanPresidentAuthor Commented:
network discovery is off but on a web hosting server, shouldn't that remain off?
0
Netman66Commented:
Yes, I just wanted to be sure it wasn't on accidentally.

Have you unbound IPv6 from the NIC?

0
Shaun RiemanPresidentAuthor Commented:
do you mean disable ipv6 from TCP/IP settings?  no, ipv6 is enabled.  I'd heard from others that ipv6 may have something to do with it.  
0
Netman66Commented:
Yes, that's what I'm referring to.

0
Shaun RiemanPresidentAuthor Commented:
64bit has been disabled, i'm still seeing the flood :(
0
Shaun RiemanPresidentAuthor Commented:
Could this have something to do with SQL server standard 2008?  I did a fresh install, only installed database required components.  There is no open firewall port to sql, it works completely internally.
0
Netman66Commented:
Is there a requirement for a User DSN that might not be present or are you using a System DSN?
0
Shaun RiemanPresidentAuthor Commented:
In ODBC there's no user dsn's and there's 1 system DNS.  When i double click it I get "The setup routines for the Microsoft Access Driver ODBC driver could not be found.  Please reinstall the driver.
0
Shaun RiemanPresidentAuthor Commented:
Oh, then i click ok and it says "component not found in the registry"
0
Shaun RiemanPresidentAuthor Commented:
The system DSN is named "SRTTNDB"... i'm not sure if its built in or part of a south river tech product I run on this server.
0
Netman66Commented:
That's not a default DSN, so I'd say it's yours.

0
Shaun RiemanPresidentAuthor Commented:
I can't remove the data source.  It repeats the above error message.
0
Shaun RiemanPresidentAuthor Commented:
I found a help doc here about a different application with a similar problem...

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.support.tpm.doc/osd/rtrb_odbc.html

I completed the steps and am restarting the server now.  I'll report back when I find out of this is the cause of all these event log errors.

thanks!
0
Shaun RiemanPresidentAuthor Commented:
I just noticed something, the source port seems to be 5355 most of the time.  I looked that up, it's the Link-Local Multicast Name Resolution...

I'll keep researching... though does that help your diagnostic?
0
Shaun RiemanPresidentAuthor Commented:
oh, it didn't work btw,...  still being flooded.
0
Shaun RiemanPresidentAuthor Commented:
Here's a different variety of the errors i'm getting

The Windows Filtering Platform has blocked a connection. (and packet)

Application Information:
      Process ID:            4
      Application Name:      System

Network Information:
      Direction:            Inbound
      Source Address:            29.23.11.27
      Source Port:            8
      Destination Address:      216.25.10.77
      Destination Port:            0
      Protocol:            1

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44
0
Shaun RiemanPresidentAuthor Commented:
i'm sorry for the flood of responses but, just so you know, the source address is a local address on my server.  the destination is the external unknown address.
0
Shaun RiemanPresidentAuthor Commented:
I'm on the right path here.  It's all in windows advanced firewall configuration... that's where the problem is.

I'm down to only a few security errors, here's the latest.

The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            4
      Application Name:      System

Network Information:
      Direction:            Inbound
      Source Address:            29.23.17.255
      Source Port:            137
      Destination Address:      29.23.17.8
      Destination Port:            137
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44
0
Shaun RiemanPresidentAuthor Commented:
I'm ready to call this issue a loss.  

I know it's firewall exceptions that's causing my problems.  I've managed to cut the flow of errors in the security log down dramatically just by doing my own personal audit of windows firewall advanced.  

This is now the only error i'm getting seemingly...

The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Outbound
      Source Address:            29.23.11.227
      Source Port:            0
      Destination Address:      216.25.10.77
      Destination Port:            0
      Protocol:            1

Filter Information:
      Filter Run-Time ID:      66284
      Layer Name:            ICMP Error
      Layer Run-Time ID:      32


Thanks again for your help.
0
Shaun RiemanPresidentAuthor Commented:
I'm going to close this, award points and start a new thread.  This is really more of a firewall conifiguration issue.

Thank you!
0
Shaun RiemanPresidentAuthor Commented:
This is a windows firewall configuration issue
0
Netman66Commented:
As I mentioned earlier - the Peer Resolution mechanism (or Network Discovery) is responsible for port 5355 traffic.  Your logs indicate the firewall is blocking that traffic - and that's fine.  The logs are simply an annoyance but you should be able to stop the activity at the source.

That last error you posted relates to the server attempting to ping that address which seems to belong Peer 1 Hosting.

0
Shaun RiemanPresidentAuthor Commented:
Yes, that's who I'm with, peer1 dedicated servers.  

Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.