Windows Filtering Platform not turning off until admin logon. Win2008R2sp1

Posted by rjt on Server Fault See other posts from Server Fault or by rjt
Published on 2011-03-11T06:42:02Z Indexed on 2011/03/11 8:12 UTC
Read the original article Hit count: 244

Just installed Windows Server 2008R2 SP1 to see if it would fix this problem, but it didn't. Until an administrator logs onto the domain controller, there are many events that WFP blocked a connection from Server60 to Server60 or Server60 to Server70. Both server60 and server70 are the domain controllers. One the admin logs on, the WFP events stop.

The firewall is off by default GPO. Yes, i know that the WFP kicks in during the boot up sequence until the firewall takes over or in my case does not take over (since Vista), but i clearly should not have to autologon to a domain controller and call autolock or something.

Example event
LEVEL = Information Source = Microsoft Windows Security Auditing EventID = 5152 "Filtering Platform Packet Drop" and its evil twin id = 5157 "Filtering Platform Connection"

"The Windows Filtering platform has blocked a connection."  
Direction %%14593 
SourceAddress 192.168.10.60 
SourcePort 49677 
DestAddress 192.168.10.60 
DestPort 389 
Protocol 6 
FilterRTID 65667 
LayerName %%14611 
LayerRTID 48 
RemoteUserID S-1-0-0 
RemoteMachineID S-1-0-0 

windows-server-2008-r2 WFP BFE WindowsFilteringPlatform BaseFilteringEngine

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about audit