Re: Failure audits generated by MS firewall
From: Bill Peng [MSFT] (v-bpeng_at_online.microsoft.com)
Date: 02/07/05
- Next message: Bill Peng [MSFT]: "RE: Clients Need Access to 3rd Party FTP Sites"
- Previous message: Per W.: "Re: MSDE and SBS2003"
- In reply to: Gary Karasik: "Re: Failure audits generated by MS firewall"
- Next in thread: Gary Karasik: "Re: Failure audits generated by MS firewall"
- Reply: Gary Karasik: "Re: Failure audits generated by MS firewall"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 07 Feb 2005 08:57:11 GMT
Hi Gary,
Thank you for the update.
I'd like to provide you with the following info for your reference:
1. Based on the audit event log, it seems to be a client side application
problem. The audit failed and has been denied by your computer.
[Note] This issue may also caused by third party application/service.
2. If you turn the firewall on, it will not stop the audit failure.
3. You can also disable the audit from the client side (or via Group
Policy) to stop the event. To do so:
a) Click Start and click Run.
b) Type secpol.msc and click OK.
c) Expand Local Policies/Audit Policy.
d) In the right pane, disable the failure audits.
4. Personally, I prefer the Security Administration Discussion group. For
your convenience, I included the link here:
Discussions in Windows XP Security and Administration
http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=micr
osoft.public.windowsxp.security_admin
[Note] Sometimes, such issue may caused by virus or Spyware, please make
sure that you've scanned for virus/spyware with the latest signature.
If you need further assistance, please feel free to post back.
Have a great week!
Bill Peng
MCSE 2000, MCDBA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Gary Karasik" <gkarasik@fea.net>
>References: <eaKIliiCFHA.3688@TK2MSFTNGP14.phx.gbl>
<UEWAmAqCFHA.3048@cpmsftngxa10.phx.gbl>
>Subject: Re: Failure audits generated by MS firewall
>Date: Fri, 4 Feb 2005 16:55:52 -0800
>Lines: 129
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>X-RFC2646: Format=Flowed; Original
>Message-ID: <e3kJy1xCFHA.936@TK2MSFTNGP12.phx.gbl>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 216.115.232.13
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:143596
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I need some clarification here Bill.
>
>First, I'm not at all sure this is a Windows XP issue. I am NOT getting
>these errors on identical and identically configured workstations
connected
>to an SBS 4.5 system. I am getting these errors on two different SBS2K3
>systems, so I think it's possible that the cause is some interaction
between
>the workstations and the SBS2K3 server, perhaps even ISA.
>
>Second, you mention that you don't recommend turning the firewall off. If
I
>turn the firewall on, will I stop getting these errors?
>
>Third, are you implying that these errors are somehow normal, that the
only
>way to stop getting them is to turn off the firewall service, which you
>don't recommend?
>
>Fourth, you suggest I should troll for an answer in "the Windows XP
queue."
>There are 27 separate XP newsgroups that I can see. Can you suggest which
>might be the best place to start for a question about errors generated by
>the Windows Firewall?
>
>It seems to me that the primary goal here ought to be to find and fix the
>source of these errors.
>
>Can you help me with that?
>
>GaryK
>
>"Bill Peng [MSFT]" <v-bpeng@online.microsoft.com> wrote in message
>news:UEWAmAqCFHA.3048@cpmsftngxa10.phx.gbl...
>> Hi Gary,
>>
>> Thanks for your post.
>>
>> I understand that there're many 861 logs in your Security Event Log.
>>
>> Since this issue mostly related to Windows XP, I recommend you also post
>> another question in Windows XP queue.
>>
>> Actually, we do not recommend you to turn off Windows Firewall, unless
you
>> have installed third-party firewall product and you're sure that the
>> network traffic is secure.
>>
>> On this case, although the Windows Firewall has been turned off, the
event
>> will still be logged there. This is because the Windows Firewall service
>> is
>> still running. You have to turn off the Windows Firewall service in
>> Services snap-in to get rid of the event errors. (This method is not
>> recommended.)
>>
>> Personally, I still recommend you to keep the Windows Firewall
>> automatically running to prevent illegal accesses.
>>
>> If you have any concern, please feel free to post back.
>>
>> Have a nice day!
>>
>> Bill Peng
>> MCSE 2000, MCDBA
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>> =====================================================
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> --------------------
>>>From: "Gary Karasik" <gkarasik@fea.net>
>>>Subject: Failure audits generated by MS firewall
>>>Date: Thu, 3 Feb 2005 11:43:32 -0800
>>>Lines: 38
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>X-RFC2646: Format=Flowed; Original
>>>Message-ID: <eaKIliiCFHA.3688@TK2MSFTNGP14.phx.gbl>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: 216.115.232.13
>>>Path:
>>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
>> phx.gbl
>>>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:143218
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>Hi,
>>>
>>>On my XP/SP2 clients, my event security logs are full of the fullowing
>>>entries, even thought the Firewall is set to off. EventID suggests
turning
>>>off auditing or turning off the Firewall Service.
>>>
>>>Are these entries the result of a problem?
>>>
>>>Is there any downside to turning off the firewall service?
>>>
>>>GaryK
>>>
>>>---------------------------------------------------------
>>>Event Type: Failure Audit
>>>Event Source: Security
>>>Event Category: Detailed Tracking
>>>Event ID: 861
>>>Date: 2/2/2005
>>>Time: 8:46:17 PM
>>>User: NT AUTHORITY\SYSTEM
>>>Computer: JOSHUA
>>>Description:
>>>The Windows Firewall has detected an application listening for incoming
>>>traffic.
>>>Name: -
>>>Path: C:\WINDOWS\SYSTEM32\lsass.exe
>>>Process identifier: 688
>>>User account: SYSTEM
>>>User domain: NT AUTHORITY
>>>Service: Yes
>>>RPC server: No
>>>IP version: IPv4
>>>IP protocol: UDP
>>>Port number: 3794
>>>Allowed: No
>>>User notified: No
>>>
>>>
>>>
>>
>
>
>
- Next message: Bill Peng [MSFT]: "RE: Clients Need Access to 3rd Party FTP Sites"
- Previous message: Per W.: "Re: MSDE and SBS2003"
- In reply to: Gary Karasik: "Re: Failure audits generated by MS firewall"
- Next in thread: Gary Karasik: "Re: Failure audits generated by MS firewall"
- Reply: Gary Karasik: "Re: Failure audits generated by MS firewall"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
