I've got a brand new install of Windows Server 2008 x86 inside a Hyper-V virtual machine. Allowed it to do all updates and then promoted it to a domain controller. It's also running a DNS server, but no other roles. Just AD and DNS. When I look at the event log I'm noticing a ton of 5157 and 5152 errors. I'd like to know why. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/4/2010 9:24:03 AM Event ID: 5152 Task Category: Filtering Platform Packet Drop Level: Information Keywords: Audit Failure User: N/A Computer: DC2.example.com Description: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 192.168.1.33 Source Port: 5 Destination Address: 192.168.1.1 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>5152</EventID> <Version>0</Version> <Level>0</Level> <Task>12809</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2010-10-04T13:24:03.932298100Z" /> <EventRecordID>17039</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="92" /> <Channel>Security</Channel> <Computer>DC2.example.com</Computer> <Security /> </System> <EventData> <Data Name="ProcessId">4</Data> <Data Name="Application">System</Data> <Data Name="Direction">%%14592</Data> <Data Name="SourceAddress">192.168.1.33</Data> <Data Name="SourcePort">5</Data> <Data Name="DestAddress">192.168.1.1</Data> <Data Name="DestPort">1</Data> <Data Name="Protocol">1</Data> <Data Name="FilterRTID">0</Data> <Data Name="LayerName">%%14610</Data> <Data Name="LayerRTID">44</Data> </EventData> </Event> Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/4/2010 9:24:03 AM Event ID: 5157 Task Category: Filtering Platform Connection Level: Information Keywords: Audit Failure User: N/A Computer: DC2.example.com Description: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 192.168.1.33 Source Port: 5 Destination Address: 192.168.1.1 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>5157</EventID> <Version>0</Version> <Level>0</Level> <Task>12810</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2010-10-04T13:24:03.932298100Z" /> <EventRecordID>17040</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="92" /> <Channel>Security</Channel> <Computer>DC2.example.com</Computer> <Security /> </System> <EventData> <Data Name="ProcessID">4</Data> <Data Name="Application">System</Data> <Data Name="Direction">%%14592</Data> <Data Name="SourceAddress">192.168.1.33</Data> <Data Name="SourcePort">5</Data> <Data Name="DestAddress">192.168.1.1</Data> <Data Name="DestPort">1</Data> <Data Name="Protocol">1</Data> <Data Name="FilterRTID">0</Data> <Data Name="LayerName">%%14610</Data> <Data Name="LayerRTID">44</Data> </EventData> </Event> This machine IP is 192.168.11.33 and the local subnet router is 192.168.1.1. Process 4 is showing up as "SYSTEM". What's going on here? It looks like the machine's trying to ping the router and being blocked? Ok, well, how do I either allow the machine to do this, or prevent it from logging it all the time? Or is there a firewall rule to be applied here? And why does an out of the box install not avoid cluttering the log this way? If it's a valid process trying to do something, shouldn't the firewall be set up automatically?

check this: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/063f21e5-7d32-4cd0-86e5-a492cdab46cd http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9cb175a1-78fb-452e-b59d-0416940c2d20

I am seeing the exact same issue as the poster. We have four virtual DC's running on a single Hyper-V host. Each of the four DC's is flooded with literally thousands of the errors below. The source and destination addresses are always the server IP and gateway IP, the application is always System, and the source and destination ports 1 and 5. Does anyone have any additional info on this? The links provided in the "answer" do not seem to apply. Note: I am not seeing any service disruptions. I would like to resolve this issue without having to disable "Audit Filtering Platform Connection" and "Audit Filtering Platform Packet Drop" on the affected DC's. --------------------------------- EVENT IT 5157 --------------------------------- The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.1.36.242 Source Port: 5 Destination Address: 10.1.36.252 Destination Port: 1 Protocol: 1 Filter Information: Filter Run-Time ID: 2682896 Layer Name: Receive/Accept Layer Run-Time ID: 44 --------------------------------- EVENT ID 5152 --------------------------------- The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.1.36.252 Source Port: 1 Destination Address: 10.1.36.242 Destination Port: 5 Protocol: 1 Filter Information: Filter Run-Time ID: 2682896 Layer Name: Receive/Accept Layer Run-Time ID: 44

We're experiencing the exact same problem as C Thompson above. The answers given in this thread do not apply. Any ideas?

I also have the same issue. Any ideas? See below for an example event log. I recently promoted a Windows 2008 R2 Server Core VM to a Domain Controller. The Windows Firewall is set to allow remote management. I can successfully portquery the DC on TCP 445. I am not noticing any issues, is this something can be safely ignored? Even better can I disable the events from appearing? The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: Inbound Source Address: 10.110.7.125 Source Port: 56707 Destination Address: 10.20.10.2 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 67636 Layer Name: Transport Layer Run-Time ID: 13Pacerfan9