客戶問題概括:
客戶稱在域控上發現大量ID 爲5152的安全日誌,幾乎每秒3個,希望給予相關檢查。
日誌如下:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 437032
Layer Name: Transport
Layer Run-Time ID: 13
解決方法:
分析日誌得知,此日誌爲Windows 防火牆審計日誌,根據源和目的端口及WFP二層過濾,判斷可能爲DHCP廣播相關數據。並且客戶啓用了WFP 過濾日誌。關閉此日誌記錄即可.
舉例:
使用以下命令關閉此日誌即可:
auditpol /set /category:"system" /subCategory:"Filtering Platform Connection" /Failure:Disable
auditpol /set /category:"system" /subCategory:"Filtering Platform Packet Drop" /Failure:Disable
然後 gpupdate /force 刷新組策略