MS-FASP / Port Scanning Prevention Filter / Stealth Mode - Security Event Log Filling/Archiving at a Rapid Pace

-

microsoft firewall , advanced security platform:

we have windows 2012 server has firewall enabled , group policy enforces failures "auditobjectaccess" security event log event ids 5152, 5157.  these logs set archive have retain them security requirements.  these logs filling our current disk capacity @ high rate.  is there way reduce logged events, without modifying gpo, without disabling firewall service, , without running scheduled task update policy disable block packets:

  • auditpol /set /subcategory:"filtering platform policy change" /success:disable /failure:disable) 

right i’m going down hole figure out rule "blocking" traffic , looks default/hidden windows fw rule “port scanning prevention filter.” followed troubleshooting steps , found filter run-time id:108788 filter blocking ports in question. looking @ wfpdiag.xml names filter “port scanning prevention filter”.  have explicit rules applied allowing uniflow traffic, still being “blocked”.

there isn’t existing port located on server in question, in listening state.  therefore believe networking stack dropping packet before being processed, still shows in security log.  consistent how windows firewall implements stealth mode.  

stealth mode: firewall said operating in stealth mode when prevents host computer responding unsolicited network traffic.

links:

  1. similar issues:
    1. https://social.msdn.microsoft.com/forums/windowsdesktop/en-us/5ac9da66-f307-4b3f-ba03-87952d451f85/the-windows-filtering-platform-blocked-a-packet-on-port-389?forum=wfp
    2. https://social.technet.microsoft.com/forums/windowsserver/en-us/b627fbdf-e51b-4671-911e-3308271e3a0e/windows-adv-firewall-drops-allowed-traffic-to-closed-ports
  2. ms-fasp details
    1. https://msdn.microsoft.com/en-us/library/cc231461.aspx
  3. stealth mode
    1. fixes listed in links pertaining w2k8 (we using w2k12),  to disable stealth mode @ registry haven't worked in eliminating logged events.
    2. https://technet.microsoft.com/en-us/library/dd448557(v=ws.10).aspx

hi abesun,

then, have checked packets which are blocked firewall. are packets supposed blocked might send malicious devices?

we may use network monitor analyze packets, find out send packets computer.

network monitor download:

https://www.microsoft.com/en-us/download/details.aspx?id=4865

best regards,

anne

please remember mark replies answers if , unmark them if provide no help. if have feedback technet support, contact tnmff@microsoft.com.



Windows Server  >  Platform Networking



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more