Wednesday, 4 September 2013

Event ID 5156 Filtering Platform Connection - Repeated security log

 I have seen more number of  logs with the Event ID 5156 while working with File System Auditing where this event is being repeatedly logged on my server 2008 R2 machine.

See the event in this picture

Event 5156 Repeated log

After I have analyzed for the reason of Event ID 5156 is being repeatedly logged,  found the below solutions to stop the Event ID 5156 from being logged continuously 

Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.

Category: Object Access
Subcategory: Filtering Platform Connection

You will get the following Event IDs if  the Filtering Platform Connection is enabled. 

   5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network.
   5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
   5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
   5156 - The Windows Filtering Platform has allowed a connection
   5157 - The Windows Filtering Platform has blocked a connection
   5158 - The Windows Filtering Platform has permitted a bind to a local port.
   5159 -The Windows Filtering Platform has blocked a bind to a local port.

We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.

Possible Solution: 1- using Auditpol exe

    If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):

    Auditpol /set /subcategory:"Filtering Platform Connection" /Success:disable

Then update gpo by this command

    gpupdate /force

Possible Solution: 2 - using Local Security Policy

    You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy.

    1. Press the key Windows + R
    2. Type command secpol.msc, click OK
    3. Then go to the node Advanced Audit Policy Configuration->Object Access.
    4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can   revert it Not Configured and Apply the setting.


Possible Solution: 3 - using Group Policy Object

    If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy. 
   
   1. Press the key Windows + R 
   
   2. Type command rsop.msc, click OK.
   
   3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.


   4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.

    5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.

    Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.

Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment