Saturday, February 23, 2013

Resolve issue with multiple Event ID 5152 and 5157 appearing in the security event log

Applies to
Windows Server 2008

Security Event IDs
5152
5157

Resolution
Install the Hotfix, and / or
Disable auditing

Hotfix
http://support.microsoft.com/kb/2654852

Disable auditing
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

Audit policy categories and sub categories
Account Logon
  Credential Validation
  Kerberos Service Ticket Operations
  Other Account Logon Events
  Kerberos Authentication Service

Account Management
  User Account Management
  Computer Account Management
  Security Group Management
  Distribution Group Management
  Application Group Management
  Other Account Management Events

Detailed Tracking
  Process Creation
  Process Termination
  DPAPI Activity
  RPC Events

DS Access
  Directory Service Access
  Directory Service Changes
  Directory Service Replication
  Detailed Directory Service Replication

Logon/Logoff
  Logon
  Logoff
  Account Lockout
  IPsec Main Mode
  IPsec Quick Mode
  IPsec Extended Mode
  Special Logon
  Other Logon/Logoff Events
  Network Policy Server

Object Access
  File System
  Registry
  Kernel Object
  SAM
  Certification Services
  Application Generated
  Handle Manipulation
  File Share
  Filtering Platform Packet Drop
  Filtering Platform Connection
  Other Object Access Events
  Detailed File Share

Policy Change
  Audit Policy Change
  Authentication Policy Change
  Authorization Policy Change
  MPSSVC Rule-Level Policy Change
  Filtering Platform Policy Change
  Other Policy Change Events

Privilege Use
  Sensitive Privilege Use
  Non Sensitive Privilege Use
  Other Privilege Use Events

System
  Security State Change
  Security System Extension
  System Integrity
  IPsec Driver
  Other System Events


Event Log Entries
Event ID 5152
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/23/2013 2:14:50 PM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      (Computer Name)
Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
    Process ID:        928
    Application Name:    \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
    Direction:        Inbound
    Source Address:        (IP Address)
    Source Port:        59663
    Destination Address:    (IP Address)
    Destination Port:        3388
    Protocol:        6

Filter Information:
    Filter Run-Time ID:    65695
    Layer Name:        Receive/Accept
    Layer Run-Time ID:    44

Event ID 5157
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/23/2013 2:14:50 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      (Computer Name)
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
    Process ID:        928
    Application Name:    \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
    Direction:        Inbound
    Source Address:        (IP Address)
    Source Port:        3388
    Destination Address:    (IP Address)
    Destination Port:        59663
    Protocol:        0

Filter Information:
    Filter Run-Time ID:    65695
    Layer Name:        Receive/Accept
    Layer Run-Time ID:    44


References

Install the LDR branch of a patch

Uninstall existing patch
If patch is already installed, must be uninstalled
PatchFilename.MSU /uninstall

Expand the patch
expand.exe -f:* "PatchFilename.MSU" "."

Install the LDR branch of the patch
Dism.exe /Online /Add-Package /PackagePath:"update-bf.mum"

"update-bf.mum" filename is the same across "all" patches
"-bf" file is significant; indicates installation of the LDR branch

Verify the patched file
Verification varies by OS
Look at the properties of one of the files updated by the patch

LDR vs GDR
GDR is "basic functionality"
LDR includes basic patch + additional functionality

References

How to capture a video of what is happening on your screen


Use Community Clips, which uses Windows Media Encoder 9

http://blogs.msdn.com/b/devschool/archive/2011/03/07/community-clips-one-of-the-best-and-easiest-free-video-screen-capture-available.aspx

Installation and execution places an icon in your system tray

It is extremely easy to use: Select Start Recording to start recording. When complete, press stop, save the file, and you're all set. It really is as easy as that. No additional configuration necessary

Tuesday, February 19, 2013

Citrix users are not able to connect due to certificate issue

RDP configured with a server certificate

Certificate authority no longer available (was on an internal server that was powered off)

ICA users experience connectivity issues

ICA settings are "grayed out"

ICA inherits RDP settings

RDP is set to auto-negotiate; users with issues are auto-negotiating to TLS with an invalid certificate

Fixes:
  • In TSCC.MSC / TSCONFIG.MSC, change RDP to use RDP encryption, do not negotiate. Settings are inherited ICA connections
  • Fix the certificate issue

Disable Hibernation and delete the hiberfil.sys file on Vista and Windows 7


Open an administrative command prompt

Issue the command
powercfg -h off

This should disable hibernation and delete the hiberfil.sys file



Friday, February 1, 2013

Determine which Remote Desktop Gateway server a user is connected to using the client's IP address

Determine the client's IP address
End user may need to Google search for "What is my IP address" to determine their Internet IP address

Download PSEXEC.EXE
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Create and populate a SERVERS.TXT file
Create a file named SERVERS.TXT and add the server names of your Remote Desktop Gateway servers


Place PSEXEC.EXE, SERVERS.TXT, and the following script in the same folder

@echo off

for /f %%x in (servers.txt) do (
   echo.
   echo.
   echo.
   echo Current target: %%x
   PSEXEC.exe \\%%x -w C:\windows\system32 netstat -n>NETSTAT-%%x.TXT
   )
pause

Run the script

Search the output files for the client's IP address
type netstat*.txt | find /i "client's IP address"