Windows Filtering Platform Audit Noise

Did you know that Windows Server 2008 and 2008 R2, as well as Vista can pump out just as many audit logs as your standard hardware firewall. I can understand some audit trails for file access and user account changes but every single TCP and UPD connection is a little over considering windows is already logging this in the firewall log. If your tracking down security issue on you network and you have an SIM trying to correlate all these logs then most of these additional logs are just noise.

There are a couple of ways of dealing with this little issue, the one machine at a time or the GPO. For me the Group Policy option is a must as I don;t have time to go through every server and every workstation that might have these audit logs turned on. The main one I want to focus on is called the “Audit Filtering Platform Connection”

After much searching on the internet I found a pretty good blog that pointed me in the right direction:

computer configuration –> policies –> windows settings –> security settings –> advanced audit policy configuration –> audit policies –> object access. Then double-click “Audit Filtering Platform Connection” and check only the box next to “configure the following audit events.” DO NOT CLICK THE OTHER TWO BOXES. Repeat for “Audit Filtering Platform Packet Drop”

For the one system solution use these command line options:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable

References:
http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx
http://actualreverend.blogspot.com/2010/11/windows-auditing-can-be-annoying-shut.html

Advertisements

About Paul Cardelli, CISSP
Cyber Security Analyst, and computer guru

3 Responses to Windows Filtering Platform Audit Noise

  1. Fredrik says:

    Hmm I cant find “advanced audit policy configuration” in your path “computer configuration –> policies –> windows settings –> security settings –> advanced audit policy configuration –> audit policies –> object access. Then double-click “Audit Filtering Platform Connection”” Any suggestions were? I’m the GPO i my 2008 R2 SBS server.

  2. Milan B says:

    This setting can be very tricky if you have migrated from w2k3 to w2k8 domain, because if you have not set auditing policies through advanced audit policy configuration but are still using old audit GPO settings, and you just turn off Windows Filtering Platform auditing, you will actually turn auditing off completely. More about this at:
    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

  3. Utpal Mondal says:

    Can you please tel me, if this can be done from 2003 Active Directory. Currently my 2008 server is in 2003 DC. Because if I do it locally in 2008 server, then domain policy will re-write the audit policy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: