Start Free Trial

asked on

Security Audit Failure - The Windows Filtering Platform has blocked a connection.

I'm getting hundreds of events per minute in the event log / security. I'm completely stumpted and can not figure out why this is happening. Here's an example of the events :

The Windows Filtering Platform has blocked a connection.

Application Information:
      Process ID:            484
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            224.0.0.252
      Source Port:            5355
      Destination Address:      29.23.14.18
      Destination Port:            58459
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

---

The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            484
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            224.0.0.252
      Source Port:            5355
      Destination Address:      29.23.14.18
      Destination Port:            58459
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

This is a windows 2008 standard, web hosting server with Windows Advanced Firewall configured with default settings and a few port exeptions for FTP, HTTP, POP3 and SMTP.

I understand, but what OS are your clients running?

This event could be letting you know the firewall is blocking Peer Resolution from the clients. In Vista and Win7 you have the ability to turn on Network Discovery - which might be the traffic you are seeing blocked.

ASKER

Clients? Huh? This is not a DC, this is a dedicated web hosting server. There are no clients.

Ok then, is Network Discovery turned on in the server? The advanced firewall is bi-directional, so I assume it would block the outbound discovery method also.

ASKER

network discovery is off but on a web hosting server, shouldn't that remain off?

Yes, I just wanted to be sure it wasn't on accidentally.

Have you unbound IPv6 from the NIC?

ASKER

do you mean disable ipv6 from TCP/IP settings? no, ipv6 is enabled. I'd heard from others that ipv6 may have something to do with it.

Yes, that's what I'm referring to.

ASKER

64bit has been disabled, i'm still seeing the flood :(

ASKER

Could this have something to do with SQL server standard 2008? I did a fresh install, only installed database required components. There is no open firewall port to sql, it works completely internally.

Is there a requirement for a User DSN that might not be present or are you using a System DSN?

ASKER

In ODBC there's no user dsn's and there's 1 system DNS. When i double click it I get "The setup routines for the Microsoft Access Driver ODBC driver could not be found. Please reinstall the driver.

ASKER

Oh, then i click ok and it says "component not found in the registry"

ASKER

The system DSN is named "SRTTNDB"... i'm not sure if its built in or part of a south river tech product I run on this server.

That's not a default DSN, so I'd say it's yours.

ASKER

I can't remove the data source. It repeats the above error message.

ASKER

I found a help doc here about a different application with a similar problem...

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.support.tpm.doc/osd/rtrb_odbc.html

I completed the steps and am restarting the server now. I'll report back when I find out of this is the cause of all these event log errors.

thanks!

ASKER

I just noticed something, the source port seems to be 5355 most of the time. I looked that up, it's the Link-Local Multicast Name Resolution...

I'll keep researching... though does that help your diagnostic?

ASKER

oh, it didn't work btw,... still being flooded.

ASKER

Here's a different variety of the errors i'm getting

The Windows Filtering Platform has blocked a connection. (and packet)

Application Information:
      Process ID:            4
      Application Name:      System

Network Information:
      Direction:            Inbound
      Source Address:            29.23.11.27
      Source Port:            8
      Destination Address:      216.25.10.77
      Destination Port:            0
      Protocol:            1

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

ASKER

i'm sorry for the flood of responses but, just so you know, the source address is a local address on my server. the destination is the external unknown address.

ASKER

I'm on the right path here. It's all in windows advanced firewall configuration... that's where the problem is.

I'm down to only a few security errors, here's the latest.

The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            4
      Application Name:      System

Network Information:
      Direction:            Inbound
      Source Address:            29.23.17.255
      Source Port:            137
      Destination Address:      29.23.17.8
      Destination Port:            137
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

ASKER

I'm ready to call this issue a loss.

I know it's firewall exceptions that's causing my problems. I've managed to cut the flow of errors in the security log down dramatically just by doing my own personal audit of windows firewall advanced.

This is now the only error i'm getting seemingly...

The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Outbound
      Source Address:            29.23.11.227
      Source Port:            0
      Destination Address:      216.25.10.77
      Destination Port:            0
      Protocol:            1

Filter Information:
      Filter Run-Time ID:      66284
      Layer Name:            ICMP Error
      Layer Run-Time ID:      32

Thanks again for your help.

ASKER

I'm going to close this, award points and start a new thread. This is really more of a firewall conifiguration issue.

Thank you!

ASKER

This is a windows firewall configuration issue

As I mentioned earlier - the Peer Resolution mechanism (or Network Discovery) is responsible for port 5355 traffic. Your logs indicate the firewall is blocking that traffic - and that's fine. The logs are simply an annoyance but you should be able to stop the activity at the source.

That last error you posted relates to the server attempting to ping that address which seems to belong Peer 1 Hosting.

ASKER

Yes, that's who I'm with, peer1 dedicated servers.

Thanks again!