The Windows Filtering Platform has allowed a connection

Hi
Our firewall has detected attacked on the OWA and I made sure that server is up to date, patches and also ran Microsoft Base Line Security Analyzer. Analyzer did not find much but suggested that we enable auditing on this server. We did.
Now we see this log all the time. Many entries.

192.168.1.251 is Exchange server and 192.168.1.4 is DC. I just don't understand how to understand this event. I'm guessing this is Exchange server constantly queering DC for AD rights? But anything specific?



Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/9/2015 4:11:14 PM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MRFFNTX2.MRFFNTD.local
Description:
The Windows Filtering Platform has allowed a connection.

Application Information:
      Process ID:            4
      Application Name:      System

Network Information:
      Direction:            Outbound
      Source Address:            192.168.1.251
      Source Port:            8
      Destination Address:      192.168.1.4
      Destination Port:            0
      Protocol:            1

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Connect
      Layer Run-Time ID:      48
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5156</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12810</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-07-09T23:11:14.515Z" />
    <EventRecordID>3926460</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="88" />
    <Channel>Security</Channel>
    <Computer>MRFFNTX2.MRFFNTD.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="ProcessID">4</Data>
    <Data Name="Application">System</Data>
    <Data Name="Direction">%%14593</Data>
    <Data Name="SourceAddress">192.168.1.251</Data>
    <Data Name="SourcePort">8</Data>
    <Data Name="DestAddress">192.168.1.4</Data>
    <Data Name="DestPort">0</Data>
    <Data Name="Protocol">1</Data>
    <Data Name="FilterRTID">0</Data>
    <Data Name="LayerName">%%14611</Data>
    <Data Name="LayerRTID">48</Data>
  </EventData>
</Event>
LVL 1
mavrukinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy DownsOWNERCommented:
Your auditing is showing allowed connections.

If you want to turn it off you can try this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.