Home Library Learn Downloads Support Community
Sign in | United States - English | |
0 out of 8 rated this helpful Rate this topic

Auditing

The Windows Filtering Platform (WFP) provides auditing of firewall and IPsec related events. These events are stored in the system security log.

The audited events are as follows.

Auditing category Auditing subcategoryAudited events

Policy Change

{6997984D-797A-11D9-BED3-505054503030}

Filtering Platform Policy Change

{0CCE9233-69AE-11D9-BED3-505054503030}

Note  The numbers represent the Event IDs as displayed by Event Viewer (eventvwr.exe).

WFP object addition and removal:

  • 5440—Persistent callout added
  • 5441—Boot-time or persistent filter added
  • 5442—Persistent provider added
  • 5443—Persistent provider context added
  • 5444—Persistent sub-layer added
  • 5446—Run-time callout added or removed
  • 5447—Run-time filter added or removed
  • 5448—Run-time provider added or removed
  • 5449—Run-time provider context added or removed
  • 5450—Run-time sub-layer added or removed

Object Access

{6997984A-797A-11D9-BED3-505054503030}

Filtering Platform Packet Drop

{0CCE9225-69AE-11D9-BED3-505054503030}

Packets dropped by WFP:

  • 5152—Packet dropped
  • 5153—Packet vetoed

Object Access

Filtering Platform Connection

{0CCE9226-69AE-11D9-BED3-505054503030}

Allowed and blocked connections:

  • 5154—Listen permitted
  • 5155—Listen blocked
  • 5156—Connection permitted
  • 5157—Connection blocked
  • 5158—Bind permitted
  • 5159—Bind blocked

Note  Permitted connections do not always audit the ID of the associated filter. The FilterID for TCP will be 0 unless a subset of these filtering conditions are used: UserID, AppID, Protocol, Remote Port.

Object Access

Other Object Access Events

{0CCE9227-69AE-11D9-BED3-505054503030}

Note  This subcategory enables many audits. WFP specific audits are listed below.

Denial of Service prevention status:

  • 5148—WFP DoS prevention mode started
  • 5149—WFP DoS prevention mode stopped

Logon/Logoff

{69979849-797A-11D9-BED3-505054503030}

IPsec Main Mode

{0CCE9218-69AE-11D9-BED3-505054503030}

IKE and AuthIP Main Mode negotiation:

  • 4650, 4651—Security association established
  • 4652, 4653—Negotiation failed
  • 4655—Security association ended

Logon/Logoff

IPsec Quick Mode

{0CCE9219-69AE-11D9-BED3-505054503030}

IKE and AuthIP Quick Mode negotiation:

  • 5451—Security association established
  • 5452—Security association ended
  • 4654—Negotiation failed

Logon/Logoff

IPsec Extended Mode

{0CCE921A-69AE-11D9-BED3-505054503030}

AuthIP Extended Mode negotiation:

  • 4978—Invalid negotiation packet
  • 4979, 4980, 4981, 4982—Security association established
  • 4983, 4984—Negotiation failed

System

{69979848-797A-11D9-BED3-505054503030}

IPsec Driver

{0CCE9213-69AE-11D9-BED3-505054503030}

Packets dropped by the IPsec driver:

  • 4963—Inbound clear text packet dropped

 

By default, auditing for WFP is disabled.

Auditing can be enabled on a per-category basis through either the Group Policy Object Editor MMC snap-in, the Local Security Policy MMC snap-in, or the auditpol.exe command.

For example, to enable the auditing of Policy Change events you may:

  • Use the Group Policy Object Editor

    1. Run gpedit.msc.
    2. Expand Local Computer Policy.
    3. Expand Computer Configuration.
    4. Expand Windows Settings.
    5. Expand Security Settings.
    6. Expand Local Policies.
    7. Click Audit Policy.
    8. Double-click Audit policy change in order to launch the Properties dialog box.
    9. Check the Success and Failure check-boxes.

  • Use the Local Security Policy

    1. Run secpol.msc.
    2. Expand Local Policies.
    3. Click Audit Policy.
    4. Double-click Audit policy change in order to launch the Properties dialog box.
    5. Check the Success and Failure check-boxes.

  • Use the auditpol.exe command

    • auditpol /set /category:"Policy Change" /success:enable /failure:enable

Auditing can be enabled on a per-subcategory basis only through the auditpol.exe command.

The auditing category and subcategory names are localized. To avoid localization for auditing scripts, the corresponding GUIDs may be used in place of the names.

For example, to enable the auditing of Filtering Platform Policy Change events you may use either one of the following commands:

  • auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable
  • auditpol /set /subcategory:"{0CCE9233-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

Related topics

Auditpol
Event Log
Group Policy

 

 

Send comments about this topic to Microsoft

Build date: 9/7/2011

Did you find this helpful?
(2000 characters remaining)
Community Content Add
Annotations FAQ
Elevate
When you get "A required privilege is not held by the client", try elevating your command prompt first.
This is a good tool...
http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
History
Error 0x00000522 occurred: A required privilege is not held by the client.
I entered this command to disable the annoying message, but got this error
Adm...> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
Error 0x00000522 occurred:
A required privilege is not held by the client.

Notes. I'm included in a group that included in Administrators group at this server.
The server is Windows server 2008 R2, x64, English, just recently installed and firewall recently configured.
I'm trying to disable this message in event log:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 24.03.2011 9:34:23
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: RUSSPB27.ru.heiway.net
Description:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 10.129.0.173
Source Port: 3189
Destination Address: 255.255.255.255
Destination Port: 1211
Protocol: 17
Filter Information:
Filter Run-Time ID: 67158
Layer Name: Transport
Layer Run-Time ID: 13
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5152</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-03-24T06:34:23.895989600Z" />
<EventRecordID>216995</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="80" />
<Channel>Security</Channel>
<Computer>RUSSPB27.ru.heiway.net</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">0</Data>
<Data Name="Application">-</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.129.0.173</Data>
<Data Name="SourcePort">3189</Data>
<Data Name="DestAddress">255.255.255.255</Data>
<Data Name="DestPort">1211</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">67158</Data>
<Data Name="LayerName">%%14597</Data>
<Data Name="LayerRTID">13</Data>
</EventData>
</Event>

So, any ideas how to fix this?


History