I am seeing the following events for multiple executables indicating firewall is blocking executables on my 2003 servers, but we have firewall set to OFF in control panel. The Firewall service is still started but should not be blocking from what I understand??Event Type:Failure AuditEvent Source:SecurityEvent Category:Detailed Tracking Event ID:861Date:8/17/2009Time:2:20:02 PMUser:NT AUTHORITY\SYSTEMComputer:XXXXXXDescription:The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWS\system32\lsass.exe Process identifier: 456 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 3715 Allowed: No User notified: No For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type:Failure AuditEvent Source:SecurityEvent Category:Detailed Tracking Event ID:861Date:8/17/2009Time:2:20:10 PMUser:XXXXXComputer:XXXXDescription:The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\IBM\Director\bin\twgsrvw.exe Process identifier: 5996 User account:XXXXX User domain:XXXX Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 3719 Allowed: No User notified: No For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hi, This is Audit Failure, its not actually blocking programs. If you would like to disable this event, try to disable Firewall service in services.msc and set its Startup Type to Manual. ThanksThis posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Mervyn. I had read that this was a result of auditing, but was not convinced that it was actually allowing the execution since the entries say Allowed:No . Do you have any info that might help satisfy management on this event?

Hi, From the article below, we can find: http://technet.microsoft.com/en-us/library/cc737845(WS.10).aspx#BKMK_log Security Log Entries Windows Firewall writes entries to the security log when a computer is started and when a program or system service attempts to listen for unsolicited incoming traffic but is blocked. These entries provide information about the status and configuration of Windows Firewall, including information about the applications and ports that permit traffic through Windows Firewall. These entries also provide information about which ports and protocols a program or system services is trying to use so you can configure the necessary exceptions in Windows Firewall. These security log entries are viewed with Event Viewer, which can filter the entries by Event IDs. The Event IDs associated with Windows Firewall are in the range of 848 through 861. NOTE: Windows Firewall events are written to the event log any time the Windows Firewall/Internet Connection Sharing service is running, even if Windows Firewall is turned off (disabled). When Firewall is turned off, the program is not blocked but the entries are still written in Event Log. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.