Re: Event 5152



It is possible that your web server is blocking malicious packets such as those that were used in Nimda, Code Red and other viruses/worms etc. IIS (Web Server component) in Windows 2008 has already built in functionality and filtering that was introduced with IIS Lockdown tool. This tool was released to defend against mentioned virus attacks. To see more detail about possible attacks to your web server you may install some kind of intrusion detection software. BTW attacks against web servers are constant. With properly configured (firewalled, filtered)and patched web server you are on the safe side, but you should always follow the trends and latest threat warnings.


"Mike via WinServerKB.com" <no@xxxxxxxx> wrote in message news:a28276ada11cf@xxxxxx
Windows Server 2008 Web Edition

I am getting lots of Event 5152 log entries with the following error message:

==============================
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: -

Network Information:
Direction: Inbound
Source Address: <various IP addresses>
Source Port: 1176
Destination Address: <my IP address>
Destination Port: 80 (ALWAYS THIS HTTP PORT)
Protocol: 6

Filter Information:
Filter Run-Time ID: 68463
Layer Name: Transport
Layer Run-Time ID: 13
=============================================

What could be wrong? My Windows Firewall allows TCP 80 from any IP and I can
access the web sites via TCP 80.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server/201001/1

.



Relevant Pages

  • IPSec Help Requested
    ... I use the built-in IP filtering in the Windows XP OS. ... success blocking nuisance IPs from connecting to my web server. ... Any IP, My IP, TCP, Port 21, Inbound. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: web server placement.
    ... I would also say the second but only if the web server is hardened and you ... should consider using IPSec filter list rather than the TCP/IP Filtering. ... or having the public webserver in a Dirty DMZ (using a screening ...
    (comp.security.firewalls)
  • Re: Jeez... how do I even start ????
    ... > When I would start IIS from the Administrative tools, ... > situation, with the same resolution as described in the msdn article, so ... A lot of these other posts also mentioned the ASPNET user. ... > the web server was running on this machine. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: preventing username enumeration on NT4
    ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
    (comp.security.misc)
  • Re: preventing username enumeration on NT4
    ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
    (comp.security.misc)