Ports blocked but firewall is disabled on Server 2003 with EventID 861

-

i seeing following events multiple executables  indicating firewall blocking executables on 2003 servers, have firewall set off in control panel.  firewall service still started should not blocking understand??

event type: failure audit
event source: security
event category: detailed tracking
event id: 861
date:  8/17/2009
time:  2:20:02 pm
user:  nt authority\system
computer: xxxxxx
description:
the windows firewall has detected application listening incoming traffic.
 
name: -
path: c:\windows\system32\lsass.exe
process identifier: 456
user account: system
user domain: nt authority
service: yes
rpc server: no
ip version: ipv4
ip protocol: udp
port number: 3715
allowed: no
user notified: no

for more information, see , support center @ http://go.microsoft.com/fwlink/events.asp.

event type: failure audit
event source: security
event category: detailed tracking
event id: 861
date:  8/17/2009
time:  2:20:10 pm
user:  xxxxx
computer: xxxx
description:
the windows firewall has detected application listening incoming traffic.
 
name: -
path: c:\program files\ibm\director\bin\twgsrvw.exe
process identifier: 5996
user account: xxxxx
user domain: xxxx
service: yes
rpc server: no
ip version: ipv4
ip protocol: udp
port number: 3719
allowed: no
user notified: no

for more information, see , support center @ http://go.microsoft.com/fwlink/events.asp.

hi,

 

from article below, can find:

http://technet.microsoft.com/en-us/library/cc737845(ws.10).aspx#bkmk_log

 

security log entries

windows firewall writes entries security log when computer started , when program or system service attempts listen unsolicited incoming traffic blocked. these entries provide information status , configuration of windows firewall, including information applications , ports permit traffic through windows firewall. these entries provide information ports , protocols program or system services trying use can configure necessary exceptions in windows firewall. these security log entries viewed event viewer, can filter entries event ids. event ids associated windows firewall in range of 848 through 861.

note:

windows firewall events written event log time windows firewall/internet connection sharing service running, if windows firewall turned off (disabled).

 

when firewall turned off, program not blocked entries still written in event log.

 

thanks.

this posting provided "as is" no warranties, , confers no rights.


Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Error: 0x80073701 when trying to add Print Services Role in Windows 2012 Standard

-
hello, i'm getting error when trying add print services role in windows 2012 standard. i'm getting same error whether use gui or powershell. this new server install. the powershell error follows: add-windowsfeature : request add or remove features on specified server failed. installation of 1 or more roles, role services, or features failed. the referenced assembly not found. error: 0x80073701 at line:1 char:1 + add-windowsfeature print-services + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + categoryinfo          : invalidoperation: (@{vhd=; credent...name=localhost}:psobject) [install-windowsfeature],     exception     + fullyqualifiederrorid : dismapi_error__failed_to_enable_updates,microsoft.windows.servermanager.commands.addwind    owsfeaturecommand success restart needed exit code      feature result ------- -------------- ---------      -------------- false   no             failed         {} issue appreciated. hi, i think should st
Read more

Disconnecting from a Windows Server 2012 R2 file sharing session on a Windows 7,8,10 machine

-
i've been trying disconnect server while , haven't been able to. there quick way this? i've used net session , net user , work sometime never consistent. can task? hi yrusad, thanks post. does work when check “computer management > system tools > shared folders > open files/sessions”. directly manage from gui. and based on knowledge, quick way mentioned net session /delete /y. mean never consistent? best regards, mary please remember mark replies answers if , unmark them if provide no help. if have feedback technet subscriber support, contact tnmff@microsoft.com . Windows Server  >  Windows Server 2012 General
Read more

Event ID 64,77,1008 Certificates Events Windows Server 2008, 2008R2

-
hi guys, i need event ids. event id 64 clear - expired certificate. problem computers have new certificate ca of them keep old one. can remove them certificate store on computers or should check before? event id 77 - 1 strange me. warning , in same time don't see suspicious: "windows default" policy module logged following warning: active directory connection <domain controller name> has been reestablished <domain controller name>. have 4 dcs. should check or ignore these messages. event id 1008 - "certificate services client: credential roaming not performed because number of tokens in local store has exceeded limit." - i've checked articles credential roaming i'm not sure should do. if give tips , answers, great. in advance. hi, event id 64 clear - expired certificate. problem computers have new certificate ca of them keep old one. can remove them certificate store on computers or should check before? i assume these
Read more