A Windows Filtering Platform filter has been changed. Subject: Security ID: S-1-5-19 Account Name: NT AUTHORITY\LOCAL SERVICE Process Information: Process ID: 596 Provider Information: ID: {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62} Name: Windows Firewall Change Information: Change Type: %%16384 Filter Information: ID: {E5DA26F0-73C2-4B17-9F97-CC2F32D28282} Name: Core Networking - Router Advertisement (ICMPv6-Out) Type: %%16388 Run-Time ID: 115961 Layer Information: ID: {4A72393B-319F-44BC-84C3-BA54DCB3B6B4} Name: ALE Connect v6 Layer Run-Time ID: 50 Callout Information: ID: {00000000-0000-0000-0000-000000000000} Name: - Additional Information: Weight: 5764606698132078592 Conditions: Condition ID: {d9ee00de-c1ef-4617-bfe3-ffd8f5a08957} Match value: In range Condition value: fe800000000000000000000000000000 - fe80000000000000ffffffffffffffff Condition ID: {b235ae9a-1d64-49b8-a44c-5ff3d9095045} Match value: Equal to Condition value: ff020000000000000000000000000001 Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b} Match value: Equal to Condition value: 0x0086 Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} Match value: Equal to Condition value: 0x3a Filter Action: %%16390 Log Name: <Security> Source: <Microsoft-Windows-Security-Auditing> Record Number: <1103185> User: <N/A> MS Event ID: <5447> MS Event Category: <13573> (13573) MS Event Type: <8> (Security audit success) MS Insertion Strings: <['596', 'S-1-5-19', 'NT AUTHORITY\\LOCAL SERVICE', '{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}', 'Windows Firewall', '%%16384', '{E5DA26F0-73C2-4B17-9F97-CC2F32D28282}', 'Core Networking - Router Advertisement (ICMPv6-Out)', '%%16388', '115961', '{4A72393B-319F-44BC-84C3-BA54DCB3B6B4}', 'ALE Connect v6 Layer', '50', '5764606698132078592', ' \tCondition ID:\t{d9ee00de-c1ef-4617-bfe3-ffd8f5a08957} \tMatch value:\tIn range \tCondition value:\tfe800000000000000000000000000000 - fe80000000000000ffffffffffffffff \tCondition ID:\t{b235ae9a-1d64-49b8-a44c-5ff3d9095045} \tMatch value:\tEqual to \tCondition value:\tff020000000000000000000000000001 \tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b} \tMatch value:\tEqual to \tCondition value:\t0x0086 \tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} \tMatch value:\tEqual to \tCondition value:\t0x3a ', '%%16390', '{00000000-0000-0000-0000-000000000000}', '-']>

A Windows Filtering Platform filter has been changed. Subject: Security ID: S-1-5-19 Account Name: NT AUTHORITY\LOCAL SERVICE Process Information: Process ID: 536 Provider Information: ID: {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62} Name: Windows Firewall Change Information: Change Type: %%16385 Filter Information: ID: {E41D6206-4065-4331-B705-D81C0821C0EA} Name: HP Networked Printer Installer Type: %%16388 Run-Time ID: 67493 Layer Information: ID: {88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E} Name: ALE Listen v4 Layer Run-Time ID: 40 Callout Information: ID: {00000000-0000-0000-0000-000000000000} Name: - Additional Information: Weight: 4611686018427387920 Conditions: Condition ID: {d78e1e87-8644-4ea5-9437-d809ecefc971} Match value: Equal to Condition value: 00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.d.e.v.i.c.e.\. 00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k. 00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 31 00 5c 00 v.o.l.u.m.e.1.\. 00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\. 00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2. 00000050 5c 00 73 00 70 00 6f 00-6f 00 6c 00 73 00 76 00 \.s.p.o.o.l.s.v. 00000060 2e 00 65 00 78 00 65 00-00 00 ..e.x.e... Filter Action: %%16390 Log Name: <Security> Source: <Microsoft-Windows-Security-Auditing> Record Number: <1846757> User: <N/A> MS Event ID: <5447> MS Event Category: <13573> (13573) MS Event Type: <8> (Security audit success) MS Insertion Strings: <['536', 'S-1-5-19', 'NT AUTHORITY\\LOCAL SERVICE', '{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}', 'Windows Firewall', '%%16385', '{E41D6206-4065-4331-B705-D81C0821C0EA}', 'HP Networked Printer Installer', '%%16388', '67493', '{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}', 'ALE Listen v4 Layer', '40', '4611686018427387920', ' \tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971} \tMatch value:\tEqual to \tCondition value:\t 00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \\.d.e.v.i.c.e.\\. 00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k. 00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 31 00 5c 00 v.o.l.u.m.e.1.\\. 00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\\. 00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2. 00000050 5c 00 73 00 70 00 6f 00-6f 00 6c 00 73 00 76 00 \\.s.p.o.o.l.s.v. 00000060 2e 00 65 00 78 00 65 00-00 00 ..e.x.e... ', '%%16390', '{00000000-0000-0000-0000-000000000000}', '-']>

May need to turn off the auditing. http://technet.microsoft.com/en-us/library/dd772640(WS.10).aspx http://support.microsoft.com/kb/947226 Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

May need to turn off the auditing. http://technet.microsoft.com/en-us/library/dd772640(WS.10).aspx http://support.microsoft.com/kb/947226 Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

I wish I could turn it off in off from our GP. Base on our PCI rules require us to follow the CIS to aduit "Success/Failures" on this one.

Are these Events considered a "Red Flag" or a threat? I see that this event shows a 'Windows Firewall' change.

Hi wchew, Thanks for posting here. Have you recently modified any setting on this hosts? Maybe like software/hotfix installation..etc. ? These audit records indicate that the windows firewall policy “Core Networking - Router Advertisement (ICMPv6-Out)” has been just changed , but we can’t determent the root cause without further information yet. Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi wchew, If there is any update on this issue, please feel free to let us know. We are looking forward to your reply Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

No, we haven't modified the host other than regular windows updates. This is a workstation with applications like Office, IM, HP printer app, and a syslog agent from Trustwave. Most of the users work is just using the web application and office. The OS is Vista Enterprise and similar problems with Win7 Pro. This is on a Group Policy, so may be one of the reasons why Vista and Win7 are both having problems. We haven't had any updates to the network/Switches/Router either.

Hi wchew, Thanks for update. I have did some further research on your auditing records, you mentioned that HP printer app had also been deployed and according the records, it seems that HP Networked Printer Installer has also been logged, so I suspect if there are some connections between these two records ? perhaps the printer program was just attempting to commutate with IPv6 networking . Did you also got other relate events ? please also post here if it is possible: Enabling Audit Events for Windows Firewall with Advanced Security http://technet.microsoft.com/en-us/library/ff428143(WS.10).aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi wchew, If there is any update on this issue, please feel free to let us know. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.