Monday, December 29, 2014

Windows firewall, auditing and other related issues

Well, this sorry tale started with a desire to enable the Windows firewall on our domain controllers. I'll leave that part of the story for another day, but it did throw up and interesting issue that Microsoft agrees is a bug. I started to see event 5152 filling my domain controller's security event log which appeared to indicate that inbound LDAP packets were being dropped by the firewall. This was obviously a concern. Here is an appropriately redacted example event (note the highlighted port 389 which is (unsecure) LDAP).

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/29/2014 10:23:53 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MyDomainController.MyDomain.COM
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: -

Network Information:
Direction: Inbound
Source Address:
Source Port: 50030
Destination Address:
Destination Port: 389
Protocol: 6

Filter Information:
Filter Run-Time ID: 540039
Layer Name: Transport
Layer Run-Time ID: 13

When the issue was raised with Microsoft, it appears that this is incorrect. Here is their response:

The packet drop events are being generated as part of a set of “built-in” stealth filters. These stealth filters were introduced in Vista/2008 to ward off port-scanning attacks. Their purpose is to prevent outbound responses (such as TCP resets) to inbound packets sent for the purpose of port IP and port discovery. The 5152 events are misleading in this way because from the text they seem to indicate the INBOUND packet was dropped, when really, it was the OUTBOUND packet that was dropped. Our product team concurs that is just an idiosyncrasy of the implementation. When an inbound packet triggers a reset, the stack classifies the packet against the INBOUND_TRANSPORT_V4_DISCARD layers to determine if the reset should be sent. So in this case, “inbound” really means that the drop occurred during the processing of an inbound packet and before the outbound reset was even generated.

So, armed with this information I was advised that he only course of action was to filter out this white noise by adjusting the auditing settings. This meant using the following policy node scoped to the domain controllers (I used my default domain controller policy):

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policy\Object Access

Specifically, the setting: Audit Filtering Platform Packet Drop and setting it to No Auditing. Now, to be clear, it is more usual to manage auditing with the following (less granular node):

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies

Well then some interesting things happened. The domain controllers started to act like all the auditing was disabled which had various effects in my environment. It turns out that as soon as you configure anything in the more granular advanced section, all settings in the regular section are ignored.

There is an excellent article written by Ned Pyle here:

I don't consider it appropriate to copy-n-paste his words into this blog, but go read it. It also makes it clear that trying to use RSOP to troubleshoot this issue will not work as RSOP is deprecated and in any case, only reads from the data controlled by the regular policy node. The only true way to know what all the audit policies are, is by issuing the following command:

auditpol /get /category:*

The solution is to recreate all the settings from the regular node into the more granular node. If I had time I would try and create a cross walk between each regular setting and the collection of more granular settings that it equates to, but I might have to leave that to someone else.



  1. Hey, thanks a lot for this post. It helped me a bunch!


  2. Thank you for this! I just enabled firewall on my 2008 R2 domain controllers and was troubled by these same events. Searching around the internet all I was finding were people talking back and forth who really didn't understand the issue at hand. I knew something was odd with the process id showing as 0 instead of the lsass process but couldn't find an explanation anywhere. Now at least I know the events are a bug and I just have to decide whether I want to suppress all dropped packed events in order to not see them.

    Apparently, they did fix this in Server 2012 because I have several domains running 2012 R2 and these events are not logged even when auditing of filtering platform events for dropped packets is enabled.