Audit Failures 1

[stduc]

Are these anything to worry about?

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 02/11/2006
Time: 09:19:02
User: NT AUTHORITY\SYSTEM
Computer: ATHLON
Description:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1136
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

[jrbarnett]

Have you knowingly got a DHCP server running on the machine (eg as part of ICS?)

John

 

[bcastner]

From Eventid.net:

Istvan Soltesz (Last update 5/23/2005):
I have had the same problem on a Window XP installation. However, I found the solution recommended by Peter Colsch too tough. Windows XP uses the same service for the firewall and for the Internet Connection Sharing as well. Stopping and disabling this service means the ICS will not operate at all. In addition, the real reason for this 861 event flood is not solved. The Firewall/ICS service can be run even if the firewall is switched off by the appropriate Control Panel applet. This has nothing to do with the event flood in reality.
The real reason hides in the audit policy settings. In the installation I am using, the audit policy was set for the default settings. A couple of days ago I entered the computer into a domain. The domain policy however had a different audit policy setting. The "Audit Process Tracking" was switched on to "Failure" to record everything in the case of a failure. From that moment when I made my installation to a member of that domain, the event log was dumped with tons of events 861 saying "The Windows Firewall has detected an application listening for incoming traffic". The incoming traffic was most of the cases the Local Security Authority Service (lsass.exe), sometimes the SQL Manager (sqlmangr.exe) or the svchost itself. It does not matter "who" is that guy making this incoming traffic, it was not significant. The only solution to eliminate this event flood was to switched off the "Audit Process Tracking" audit policy in the domain. It means I have set its value back to the default setting.

Peter Colsch (Last update 9/28/2004):
Even though Windows XP firewall is "turned off", the service is still running. If your security auditing policy includes auditing of failures for "audit process tracking”, your security event logs will be filling up quickly. If you want the events to go away, the only solutions I have found so far are to turn off the auditing or to stop the Windows Firewall/ICS service. Go to Start -> Run -> services.msc. Find Windows Firewall in the list, double-click on it, set "Startup type" to “Disabled”, and press Stop if it is running.


____________________________
Users Helping Users

 

[linney]

These are the Default Audit Settings recommend by Microsoft.

To enable auditing on a computer running Windows Server 2003, Windows XP, or Windows 2000

Open the Control Panel.
In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit. We recommend that you audit the following events:



Audit account logon events (Success, Failure)

Audit account management (Success, Failure)

Audit directory service access (Failure)

Audit logon events (Success, Failure)

Audit object access (Failure)

Audit policy change (Success, Failure)

Audit system events (Success, Failure)

The other options including Audit Process Tracking are set to "No Auditing"