Event log

From Igor personal wiki
Jump to: navigation, search

Auditing Security Events Best practices

Recommended Audit Policies by Operating System

More details on each settings:

Advanced Security Audit Policy Settings


Disabling Event 5156[edit]

Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.

Category: Object Access Subcategory: Filtering Platform Connection

You will get the following Event IDs if the Filtering Platform Connection is enabled. 

  5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network.
  5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
  5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
  5156 - The Windows Filtering Platform has allowed a connection
  5157 - The Windows Filtering Platform has blocked a connection
  5158 - The Windows Filtering Platform has permitted a bind to a local port.
  5159 -The Windows Filtering Platform has blocked a bind to a local port.

We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.

Possible Solution: 1- using Auditpol exe

If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator): 

Auditpol /set /subcategory:"Filtering Platform Connection" /Success:disable

Then update gpo by this command 

gpupdate /force

Possible Solution: 2 - using Local Security Policy

You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy. 

   1. Press the key Windows + R
   2. Type command secpol.msc, click OK
   3. Then go to the node Advanced Audit Policy Configuration->Object Access.
   4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can   revert it Not Configured and Apply the setting.


Possible Solution: 3 - using Group Policy Object

If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy. 

  1. Press the key Windows + R 
  
  2. Type command rsop.msc, click OK.
  
  3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.

  4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.

   5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.

Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.

Retrieved from "http://wiki.it-security.ca/404.html"