Shaun Rieman
asked on
Security Audit Failure - The Windows Filtering Platform has blocked a connection.
I'm getting hundreds of events per minute in the event log / security. I'm completely stumpted and can not figure out why this is happening. Here's an example of the events :
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 484
Application Name: \device\harddiskvolume1\wi ndows\syst em32\svcho st.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 29.23.14.18
Destination Port: 58459
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
---
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 484
Application Name: \device\harddiskvolume1\wi ndows\syst em32\svcho st.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 29.23.14.18
Destination Port: 58459
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 484
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 29.23.14.18
Destination Port: 58459
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
---
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 484
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 29.23.14.18
Destination Port: 58459
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I understand, but what OS are your clients running?
This event could be letting you know the firewall is blocking Peer Resolution from the clients. In Vista and Win7 you have the ability to turn on Network Discovery - which might be the traffic you are seeing blocked.
This event could be letting you know the firewall is blocking Peer Resolution from the clients. In Vista and Win7 you have the ability to turn on Network Discovery - which might be the traffic you are seeing blocked.
ASKER
Clients? Huh? This is not a DC, this is a dedicated web hosting server. There are no clients.
Ok then, is Network Discovery turned on in the server? The advanced firewall is bi-directional, so I assume it would block the outbound discovery method also.
ASKER
network discovery is off but on a web hosting server, shouldn't that remain off?
Yes, I just wanted to be sure it wasn't on accidentally.
Have you unbound IPv6 from the NIC?
Have you unbound IPv6 from the NIC?
ASKER
do you mean disable ipv6 from TCP/IP settings? no, ipv6 is enabled. I'd heard from others that ipv6 may have something to do with it.
Yes, that's what I'm referring to.
ASKER
64bit has been disabled, i'm still seeing the flood :(
ASKER
Could this have something to do with SQL server standard 2008? I did a fresh install, only installed database required components. There is no open firewall port to sql, it works completely internally.
Is there a requirement for a User DSN that might not be present or are you using a System DSN?
ASKER
In ODBC there's no user dsn's and there's 1 system DNS. When i double click it I get "The setup routines for the Microsoft Access Driver ODBC driver could not be found. Please reinstall the driver.
ASKER
Oh, then i click ok and it says "component not found in the registry"
ASKER
The system DSN is named "SRTTNDB"... i'm not sure if its built in or part of a south river tech product I run on this server.
That's not a default DSN, so I'd say it's yours.
ASKER
I can't remove the data source. It repeats the above error message.
ASKER
I found a help doc here about a different application with a similar problem...
http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.support.tpm.doc/osd/rtrb_odbc.html
I completed the steps and am restarting the server now. I'll report back when I find out of this is the cause of all these event log errors.
thanks!
http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.support.tpm.doc/osd/rtrb_odbc.html
I completed the steps and am restarting the server now. I'll report back when I find out of this is the cause of all these event log errors.
thanks!
ASKER
I just noticed something, the source port seems to be 5355 most of the time. I looked that up, it's the Link-Local Multicast Name Resolution...
I'll keep researching... though does that help your diagnostic?
I'll keep researching... though does that help your diagnostic?
ASKER
oh, it didn't work btw,... still being flooded.
ASKER
Here's a different variety of the errors i'm getting
The Windows Filtering Platform has blocked a connection. (and packet)
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 29.23.11.27
Source Port: 8
Destination Address: 216.25.10.77
Destination Port: 0
Protocol: 1
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
The Windows Filtering Platform has blocked a connection. (and packet)
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 29.23.11.27
Source Port: 8
Destination Address: 216.25.10.77
Destination Port: 0
Protocol: 1
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
ASKER
i'm sorry for the flood of responses but, just so you know, the source address is a local address on my server. the destination is the external unknown address.
ASKER
I'm on the right path here. It's all in windows advanced firewall configuration... that's where the problem is.
I'm down to only a few security errors, here's the latest.
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 29.23.17.255
Source Port: 137
Destination Address: 29.23.17.8
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
I'm down to only a few security errors, here's the latest.
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 29.23.17.255
Source Port: 137
Destination Address: 29.23.17.8
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
ASKER
I'm ready to call this issue a loss.
I know it's firewall exceptions that's causing my problems. I've managed to cut the flow of errors in the security log down dramatically just by doing my own personal audit of windows firewall advanced.
This is now the only error i'm getting seemingly...
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Outbound
Source Address: 29.23.11.227
Source Port: 0
Destination Address: 216.25.10.77
Destination Port: 0
Protocol: 1
Filter Information:
Filter Run-Time ID: 66284
Layer Name: ICMP Error
Layer Run-Time ID: 32
Thanks again for your help.
I know it's firewall exceptions that's causing my problems. I've managed to cut the flow of errors in the security log down dramatically just by doing my own personal audit of windows firewall advanced.
This is now the only error i'm getting seemingly...
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Outbound
Source Address: 29.23.11.227
Source Port: 0
Destination Address: 216.25.10.77
Destination Port: 0
Protocol: 1
Filter Information:
Filter Run-Time ID: 66284
Layer Name: ICMP Error
Layer Run-Time ID: 32
Thanks again for your help.
ASKER
I'm going to close this, award points and start a new thread. This is really more of a firewall conifiguration issue.
Thank you!
Thank you!
ASKER
This is a windows firewall configuration issue
As I mentioned earlier - the Peer Resolution mechanism (or Network Discovery) is responsible for port 5355 traffic. Your logs indicate the firewall is blocking that traffic - and that's fine. The logs are simply an annoyance but you should be able to stop the activity at the source.
That last error you posted relates to the server attempting to ping that address which seems to belong Peer 1 Hosting.
That last error you posted relates to the server attempting to ping that address which seems to belong Peer 1 Hosting.
ASKER
Yes, that's who I'm with, peer1 dedicated servers.
Thanks again!
Thanks again!
ASKER