Re: Failure audits generated by MS firewall
From: Gary Karasik (gkarasik_at_fea.net)
Date: 02/08/05
- Next message: Paul: "SMTP Problem"
- Previous message: Aaron G: "RE: ISA blocking a user after XP SP2 install"
- In reply to: Bill Peng [MSFT]: "Re: Failure audits generated by MS firewall"
- Next in thread: Bill Peng [MSFT]: "Re: Failure audits generated by MS firewall"
- Reply: Bill Peng [MSFT]: "Re: Failure audits generated by MS firewall"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Feb 2005 07:43:45 -0800
Thanks, Bill. I've read that. It doesn't tell me how to track down and cure
the problem that is causing my systems to generate Failure Audits.
The XP newsgroup you suggested hasn't responded to my query.
Any other thoughts on how to solve this problem besides calling MS for
$245.00?
GaryK
"Bill Peng [MSFT]" <v-bpeng@online.microsoft.com> wrote in message
news:TFJLfcbDFHA.2096@cpmsftngxa10.phx.gbl...
> Hi Gary,
>
> Thanks for your update.
>
> Personally, I recommend you to follow this White Paper to configure your
> Windows XP and Server security settings.
>
> Threats and Countermeasures: Security Settings in Windows Server 2003 and
> Windows XP
> http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
> 9346-F93A4081EEA8&displaylang=en
>
> If you have any update, please feel free to post back.
>
> Have a nice day!
>
> Bill Peng
> MCSE 2000, MCDBA
> Microsoft Partner Support Professional
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------
>>From: "Gary Karasik" <gkarasik@fea.net>
>>References: <eaKIliiCFHA.3688@TK2MSFTNGP14.phx.gbl>
> <UEWAmAqCFHA.3048@cpmsftngxa10.phx.gbl>
> <e3kJy1xCFHA.936@TK2MSFTNGP12.phx.gbl>
> <wF$9JMPDFHA.2944@cpmsftngxa10.phx.gbl>
>>Subject: Re: Failure audits generated by MS firewall
>>Date: Mon, 7 Feb 2005 10:18:48 -0800
>>Lines: 218
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <OGnK5FUDFHA.3728@TK2MSFTNGP14.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: 216.115.232.13
>>Path:
> cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
> phx.gbl
>>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:144182
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>Bill,
>>
>>Thanks for taking the time to reply.
>>
>>> 1. Based on the audit event log, it seems to be a client side
>>> application
>>> problem. The audit failed and has been denied by your computer.
>>
>>OK, it's a problem on the workstation.
>>
>>> [Note] This issue may also caused by third party application/service.
>>
>>So these aren't normal, and possibly some third-party app is causing the
>>firewall to report these failures?
>>
>>> 3. You can also disable the audit from the client side (or via Group
>>> Policy) to stop the event. To do so:
>>> a) Click Start and click Run.
>>> b) Type secpol.msc and click OK.
>>> c) Expand Local Policies/Audit Policy.
>>> d) In the right pane, disable the failure audits.
>>
>>Thanks for that. I'd sooner figure out what's causing the log failure
>>entries and solve that problem.
>>
>>> 4. Personally, I prefer the Security Administration Discussion group.
>>> For
>>> your convenience, I included the link here:
>>
>>I posted a message there Saturday but haven't yet received a response.
>>
>>GaryK
>>
>>> Discussions in Windows XP Security and Administration
>>>
> http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=micr
>>> osoft.public.windowsxp.security_admin
>>>
>>> [Note] Sometimes, such issue may caused by virus or Spyware, please make
>>> sure that you've scanned for virus/spyware with the latest signature.
>>>
>>> If you need further assistance, please feel free to post back.
>>>
>>> Have a great week!
>>>
>>> Bill Peng
>>> MCSE 2000, MCDBA
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>> =====================================================
>>> When responding to posts, please "Reply to Group" via your newsreader so
>>> that others may learn and benefit from your issue.
>>> =====================================================
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> --------------------
>>>>From: "Gary Karasik" <gkarasik@fea.net>
>>>>References: <eaKIliiCFHA.3688@TK2MSFTNGP14.phx.gbl>
>>> <UEWAmAqCFHA.3048@cpmsftngxa10.phx.gbl>
>>>>Subject: Re: Failure audits generated by MS firewall
>>>>Date: Fri, 4 Feb 2005 16:55:52 -0800
>>>>Lines: 129
>>>>X-Priority: 3
>>>>X-MSMail-Priority: Normal
>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>>X-RFC2646: Format=Flowed; Original
>>>>Message-ID: <e3kJy1xCFHA.936@TK2MSFTNGP12.phx.gbl>
>>>>Newsgroups: microsoft.public.windows.server.sbs
>>>>NNTP-Posting-Host: 216.115.232.13
>>>>Path:
>>>
> cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
>>> phx.gbl
>>>>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:143596
>>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>>
>>>>I need some clarification here Bill.
>>>>
>>>>First, I'm not at all sure this is a Windows XP issue. I am NOT getting
>>>>these errors on identical and identically configured workstations
>>> connected
>>>>to an SBS 4.5 system. I am getting these errors on two different SBS2K3
>>>>systems, so I think it's possible that the cause is some interaction
>>> between
>>>>the workstations and the SBS2K3 server, perhaps even ISA.
>>>>
>>>>Second, you mention that you don't recommend turning the firewall off.
>>>>If
>>> I
>>>>turn the firewall on, will I stop getting these errors?
>>>>
>>>>Third, are you implying that these errors are somehow normal, that the
>>> only
>>>>way to stop getting them is to turn off the firewall service, which you
>>>>don't recommend?
>>>>
>>>>Fourth, you suggest I should troll for an answer in "the Windows XP
>>> queue."
>>>>There are 27 separate XP newsgroups that I can see. Can you suggest
>>>>which
>>>>might be the best place to start for a question about errors generated
>>>>by
>>>>the Windows Firewall?
>>>>
>>>>It seems to me that the primary goal here ought to be to find and fix
>>>>the
>>>>source of these errors.
>>>>
>>>>Can you help me with that?
>>>>
>>>>GaryK
>>>>
>>>>"Bill Peng [MSFT]" <v-bpeng@online.microsoft.com> wrote in message
>>>>news:UEWAmAqCFHA.3048@cpmsftngxa10.phx.gbl...
>>>>> Hi Gary,
>>>>>
>>>>> Thanks for your post.
>>>>>
>>>>> I understand that there're many 861 logs in your Security Event Log.
>>>>>
>>>>> Since this issue mostly related to Windows XP, I recommend you also
> post
>>>>> another question in Windows XP queue.
>>>>>
>>>>> Actually, we do not recommend you to turn off Windows Firewall, unless
>>> you
>>>>> have installed third-party firewall product and you're sure that the
>>>>> network traffic is secure.
>>>>>
>>>>> On this case, although the Windows Firewall has been turned off, the
>>> event
>>>>> will still be logged there. This is because the Windows Firewall
> service
>>>>> is
>>>>> still running. You have to turn off the Windows Firewall service in
>>>>> Services snap-in to get rid of the event errors. (This method is not
>>>>> recommended.)
>>>>>
>>>>> Personally, I still recommend you to keep the Windows Firewall
>>>>> automatically running to prevent illegal accesses.
>>>>>
>>>>> If you have any concern, please feel free to post back.
>>>>>
>>>>> Have a nice day!
>>>>>
>>>>> Bill Peng
>>>>> MCSE 2000, MCDBA
>>>>> Microsoft Online Partner Support
>>>>>
>>>>> Get Secure! - www.microsoft.com/security
>>>>> =====================================================
>>>>> When responding to posts, please "Reply to Group" via your newsreader
> so
>>>>> that others may learn and benefit from your issue.
>>>>> =====================================================
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>> --------------------
>>>>>>From: "Gary Karasik" <gkarasik@fea.net>
>>>>>>Subject: Failure audits generated by MS firewall
>>>>>>Date: Thu, 3 Feb 2005 11:43:32 -0800
>>>>>>Lines: 38
>>>>>>X-Priority: 3
>>>>>>X-MSMail-Priority: Normal
>>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>>>>X-RFC2646: Format=Flowed; Original
>>>>>>Message-ID: <eaKIliiCFHA.3688@TK2MSFTNGP14.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.sbs
>>>>>>NNTP-Posting-Host: 216.115.232.13
>>>>>>Path:
>>>>>
>>>
> cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
>>>>> phx.gbl
>>>>>>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:143218
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>On my XP/SP2 clients, my event security logs are full of the fullowing
>>>>>>entries, even thought the Firewall is set to off. EventID suggests
>>> turning
>>>>>>off auditing or turning off the Firewall Service.
>>>>>>
>>>>>>Are these entries the result of a problem?
>>>>>>
>>>>>>Is there any downside to turning off the firewall service?
>>>>>>
>>>>>>GaryK
>>>>>>
>>>>>>---------------------------------------------------------
>>>>>>Event Type: Failure Audit
>>>>>>Event Source: Security
>>>>>>Event Category: Detailed Tracking
>>>>>>Event ID: 861
>>>>>>Date: 2/2/2005
>>>>>>Time: 8:46:17 PM
>>>>>>User: NT AUTHORITY\SYSTEM
>>>>>>Computer: JOSHUA
>>>>>>Description:
>>>>>>The Windows Firewall has detected an application listening for
>>>>>>incoming
>>>>>>traffic.
>>>>>>Name: -
>>>>>>Path: C:\WINDOWS\SYSTEM32\lsass.exe
>>>>>>Process identifier: 688
>>>>>>User account: SYSTEM
>>>>>>User domain: NT AUTHORITY
>>>>>>Service: Yes
>>>>>>RPC server: No
>>>>>>IP version: IPv4
>>>>>>IP protocol: UDP
>>>>>>Port number: 3794
>>>>>>Allowed: No
>>>>>>User notified: No
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
- Next message: Paul: "SMTP Problem"
- Previous message: Aaron G: "RE: ISA blocking a user after XP SP2 install"
- In reply to: Bill Peng [MSFT]: "Re: Failure audits generated by MS firewall"
- Next in thread: Bill Peng [MSFT]: "Re: Failure audits generated by MS firewall"
- Reply: Bill Peng [MSFT]: "Re: Failure audits generated by MS firewall"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
