new 2008R2 install, lots of 5157 & 5152 errors
I've got a brand new install of Windows Server 2008 x86 inside a Hyper-V virtual machine. Allowed it to do all updates and then promoted it to a domain controller. It's also running a DNS server, but no other roles. Just AD and DNS.
When I look at the event log I'm noticing a ton of 5157 and 5152 errors. I'd like to know why.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/4/2010 9:24:03 AM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC2.example.com
Description:
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 192.168.1.33
Source Port: 5
Destination Address: 192.168.1.1
Destination Port: 1
Protocol: 1
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5152</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2010-10-04T13:24:03.932298100Z" />
<EventRecordID>17039</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>DC2.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">4</Data>
<Data Name="Application">System</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">192.168.1.33</Data>
<Data Name="SourcePort">5</Data>
<Data Name="DestAddress">192.168.1.1</Data>
<Data Name="DestPort">1</Data>
<Data Name="Protocol">1</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/4/2010 9:24:03 AM
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC2.example.com
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 192.168.1.33
Source Port: 5
Destination Address: 192.168.1.1
Destination Port: 1
Protocol: 1
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2010-10-04T13:24:03.932298100Z" />
<EventRecordID>17040</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>DC2.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">4</Data>
<Data Name="Application">System</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">192.168.1.33</Data>
<Data Name="SourcePort">5</Data>
<Data Name="DestAddress">192.168.1.1</Data>
<Data Name="DestPort">1</Data>
<Data Name="Protocol">1</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
This machine IP is 192.168.11.33 and the local subnet router is 192.168.1.1. Process 4 is showing up as "SYSTEM". What's going on here? It looks like the machine's trying to ping the router and being blocked? Ok, well, how
do I either allow the machine to do this, or prevent it from logging it all the time? Or is there a firewall rule to be applied here?
And why does an out of the box install not avoid cluttering the log this way? If it's a valid process trying to do something, shouldn't the firewall be set up automatically?
October 4th, 2010 9:56am
check this:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/063f21e5-7d32-4cd0-86e5-a492cdab46cd
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9cb175a1-78fb-452e-b59d-0416940c2d20
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2010 2:05pm
I am seeing the exact same issue as the poster. We have four virtual DC's running on a single Hyper-V host. Each of the four DC's is flooded with literally thousands of the errors below. The source and destination addresses are always the
server IP and gateway IP, the application is always System, and the source and destination ports 1 and 5. Does anyone have any additional info on this? The links provided in the "answer" do not seem to apply.
Note: I am not seeing any service disruptions. I would like to resolve this issue without having to disable "Audit Filtering Platform Connection" and "Audit Filtering Platform Packet Drop" on the affected DC's.
--------------------------------- EVENT IT 5157 ---------------------------------
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.1.36.242
Source Port: 5
Destination Address: 10.1.36.252
Destination Port: 1
Protocol: 1
Filter Information:
Filter Run-Time ID: 2682896
Layer Name: Receive/Accept
Layer Run-Time ID: 44
--------------------------------- EVENT ID 5152 ---------------------------------
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.1.36.252
Source Port: 1
Destination Address: 10.1.36.242
Destination Port: 5
Protocol: 1
Filter Information:
Filter Run-Time ID: 2682896
Layer Name: Receive/Accept
Layer Run-Time ID: 44
December 6th, 2010 4:16pm
We're experiencing the exact same problem as C Thompson above. The answers given in this thread do not apply. Any ideas?
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 2:42pm
I also have the same issue. Any ideas?
See below for an example event log. I recently promoted a Windows 2008 R2 Server Core VM to a Domain Controller. The Windows Firewall
is set to allow remote management. I can successfully portquery the DC on TCP 445. I am not noticing any issues, is this something can be safely ignored? Even better can I disable the events from appearing?
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 10.110.7.125
Source Port: 56707
Destination Address: 10.20.10.2
Destination Port: 445
Protocol: 6
Filter Information:
Filter Run-Time ID: 67636
Layer Name: Transport
Layer Run-Time ID: 13Pacerfan9
May 17th, 2011 1:52pm