Event 5447. Don't know how to resolve all these events.
A Windows Filtering Platform filter has been changed. Subject: Security ID: S-1-5-19 Account Name: NT AUTHORITY\LOCAL SERVICE Process Information: Process ID: 596 Provider Information: ID: {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}
Name: Windows Firewall Change Information: Change Type: %%16384 Filter Information: ID: {E5DA26F0-73C2-4B17-9F97-CC2F32D28282} Name: Core Networking - Router Advertisement (ICMPv6-Out)
Type: %%16388 Run-Time ID: 115961 Layer Information: ID: {4A72393B-319F-44BC-84C3-BA54DCB3B6B4} Name: ALE Connect v6 Layer Run-Time ID: 50 Callout Information: ID: {00000000-0000-0000-0000-000000000000}
Name: - Additional Information: Weight: 5764606698132078592 Conditions: Condition ID: {d9ee00de-c1ef-4617-bfe3-ffd8f5a08957} Match value: In range Condition value: fe800000000000000000000000000000
- fe80000000000000ffffffffffffffff Condition ID: {b235ae9a-1d64-49b8-a44c-5ff3d9095045} Match value: Equal to Condition value: ff020000000000000000000000000001 Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value: Equal to Condition value: 0x0086 Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} Match value: Equal to Condition value: 0x3a Filter Action: %%16390
Log Name: <Security>
Source: <Microsoft-Windows-Security-Auditing>
Record Number: <1103185>
User: <N/A>
MS Event ID: <5447>
MS Event Category: <13573> (13573)
MS Event Type: <8> (Security audit success)
MS Insertion Strings: <['596', 'S-1-5-19', 'NT AUTHORITY\\LOCAL SERVICE', '{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}', 'Windows Firewall', '%%16384', '{E5DA26F0-73C2-4B17-9F97-CC2F32D28282}', 'Core Networking - Router Advertisement (ICMPv6-Out)', '%%16388',
'115961', '{4A72393B-319F-44BC-84C3-BA54DCB3B6B4}', 'ALE Connect v6 Layer', '50', '5764606698132078592', ' \tCondition ID:\t{d9ee00de-c1ef-4617-bfe3-ffd8f5a08957} \tMatch value:\tIn range \tCondition value:\tfe800000000000000000000000000000 - fe80000000000000ffffffffffffffff
\tCondition ID:\t{b235ae9a-1d64-49b8-a44c-5ff3d9095045} \tMatch value:\tEqual to \tCondition value:\tff020000000000000000000000000001 \tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b} \tMatch value:\tEqual to \tCondition value:\t0x0086 \tCondition
ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} \tMatch value:\tEqual to \tCondition value:\t0x3a ', '%%16390', '{00000000-0000-0000-0000-000000000000}', '-']>
June 14th, 2011 1:32am
A Windows Filtering Platform filter has been changed. Subject: Security ID: S-1-5-19 Account Name: NT AUTHORITY\LOCAL SERVICE Process Information: Process ID: 536 Provider Information: ID: {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}
Name: Windows Firewall Change Information: Change Type: %%16385 Filter Information: ID: {E41D6206-4065-4331-B705-D81C0821C0EA} Name: HP Networked Printer Installer Type: %%16388
Run-Time ID: 67493 Layer Information: ID: {88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E} Name: ALE Listen v4 Layer Run-Time ID: 40 Callout Information: ID: {00000000-0000-0000-0000-000000000000}
Name: - Additional Information: Weight: 4611686018427387920 Conditions: Condition ID: {d78e1e87-8644-4ea5-9437-d809ecefc971} Match value: Equal to Condition value:
00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.d.e.v.i.c.e.\. 00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k. 00000020 76 00 6f 00 6c 00 75
00-6d 00 65 00 31 00 5c 00 v.o.l.u.m.e.1.\. 00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\. 00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2.
00000050 5c 00 73 00 70 00 6f 00-6f 00 6c 00 73 00 76 00 \.s.p.o.o.l.s.v. 00000060 2e 00 65 00 78 00 65 00-00 00
..e.x.e... Filter Action: %%16390
Log Name: <Security>
Source: <Microsoft-Windows-Security-Auditing>
Record Number: <1846757>
User: <N/A>
MS Event ID: <5447>
MS Event Category: <13573> (13573)
MS Event Type: <8> (Security audit success)
MS Insertion Strings: <['536', 'S-1-5-19', 'NT AUTHORITY\\LOCAL SERVICE', '{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}', 'Windows Firewall', '%%16385', '{E41D6206-4065-4331-B705-D81C0821C0EA}', 'HP Networked Printer Installer', '%%16388', '67493', '{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}',
'ALE Listen v4 Layer', '40', '4611686018427387920', ' \tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971} \tMatch value:\tEqual to \tCondition value:\t 00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00
\\.d.e.v.i.c.e.\\. 00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k. 00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 31 00 5c 00
v.o.l.u.m.e.1.\\. 00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\\. 00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2.
00000050 5c 00 73 00 70 00 6f 00-6f 00 6c 00 73 00 76 00
\\.s.p.o.o.l.s.v. 00000060 2e 00 65 00 78 00 65 00-00 00 ..e.x.e... ', '%%16390', '{00000000-0000-0000-0000-000000000000}',
'-']>
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 1:52am
May need to turn off the auditing.
http://technet.microsoft.com/en-us/library/dd772640(WS.10).aspx
http://support.microsoft.com/kb/947226
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
June 14th, 2011 2:05am
May need to turn off the auditing.
http://technet.microsoft.com/en-us/library/dd772640(WS.10).aspx
http://support.microsoft.com/kb/947226
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 2:06am
I wish I could turn it off in off from our GP. Base on our PCI rules require us to follow the CIS to aduit "Success/Failures" on this one.
June 14th, 2011 2:20am
Are these Events considered a "Red Flag" or a threat? I see that this event shows a 'Windows Firewall' change.
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 7:27pm
Hi wchew,
Thanks for posting here.
Have you recently modified any setting on this hosts? Maybe like software/hotfix installation..etc. ?
These audit records indicate that the windows firewall policy “Core Networking - Router Advertisement (ICMPv6-Out)” has been just changed , but we can’t
determent the root cause without further information yet.
Thanks.
Tiger Li
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 15th, 2011 8:40am
Hi wchew,
If there is any update on this issue, please feel free to let us know.
We are looking forward to your reply
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 2:58pm
No, we haven't modified the host other than regular windows updates. This is a workstation with applications like Office, IM, HP printer app, and a syslog agent from Trustwave. Most of the users work is just using the web application and office.
The OS is Vista Enterprise and similar problems with Win7 Pro.
This is on a Group Policy, so may be one of the reasons why Vista and Win7 are both having problems.
We haven't had any updates to the network/Switches/Router either.
June 16th, 2011 8:50pm
Hi wchew,
Thanks for update.
I have did some further research on your auditing records, you mentioned that HP printer app had also been deployed and according the records, it seems that HP Networked
Printer Installer has also been logged, so I suspect if there are some connections between these two records ? perhaps the printer program was just attempting to commutate with IPv6 networking .
Did you also got other relate events ? please also post here if it is possible:
Enabling Audit Events for Windows Firewall with Advanced Security
http://technet.microsoft.com/en-us/library/ff428143(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 5:49am
Hi wchew,
If there is any update on this issue, please feel free to let us know.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 20th, 2011 4:53am