Saturday, February 23, 2013

Resolve issue with multiple Event ID 5152 and 5157 appearing in the security event log

Applies to
Windows Server 2008

Security Event IDs
5152
5157

Resolution
Install the Hotfix, and / or
Disable auditing

Hotfix
http://support.microsoft.com/kb/2654852

Disable auditing
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

Audit policy categories and sub categories
Account Logon
  Credential Validation
  Kerberos Service Ticket Operations
  Other Account Logon Events
  Kerberos Authentication Service

Account Management
  User Account Management
  Computer Account Management
  Security Group Management
  Distribution Group Management
  Application Group Management
  Other Account Management Events

Detailed Tracking
  Process Creation
  Process Termination
  DPAPI Activity
  RPC Events

DS Access
  Directory Service Access
  Directory Service Changes
  Directory Service Replication
  Detailed Directory Service Replication

Logon/Logoff
  Logon
  Logoff
  Account Lockout
  IPsec Main Mode
  IPsec Quick Mode
  IPsec Extended Mode
  Special Logon
  Other Logon/Logoff Events
  Network Policy Server

Object Access
  File System
  Registry
  Kernel Object
  SAM
  Certification Services
  Application Generated
  Handle Manipulation
  File Share
  Filtering Platform Packet Drop
  Filtering Platform Connection
  Other Object Access Events
  Detailed File Share

Policy Change
  Audit Policy Change
  Authentication Policy Change
  Authorization Policy Change
  MPSSVC Rule-Level Policy Change
  Filtering Platform Policy Change
  Other Policy Change Events

Privilege Use
  Sensitive Privilege Use
  Non Sensitive Privilege Use
  Other Privilege Use Events

System
  Security State Change
  Security System Extension
  System Integrity
  IPsec Driver
  Other System Events


Event Log Entries
Event ID 5152
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/23/2013 2:14:50 PM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      (Computer Name)
Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
    Process ID:        928
    Application Name:    \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
    Direction:        Inbound
    Source Address:        (IP Address)
    Source Port:        59663
    Destination Address:    (IP Address)
    Destination Port:        3388
    Protocol:        6

Filter Information:
    Filter Run-Time ID:    65695
    Layer Name:        Receive/Accept
    Layer Run-Time ID:    44

Event ID 5157
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/23/2013 2:14:50 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      (Computer Name)
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
    Process ID:        928
    Application Name:    \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
    Direction:        Inbound
    Source Address:        (IP Address)
    Source Port:        3388
    Destination Address:    (IP Address)
    Destination Port:        59663
    Protocol:        0

Filter Information:
    Filter Run-Time ID:    65695
    Layer Name:        Receive/Accept
    Layer Run-Time ID:    44


References