JEAZ The bump and grind of daily SysAdmin life

1Jun/110

The Windows Filtering Platform has blocked a bind to a local port.

I recently came across this problem while reviewing auditing logs on a Server 2008 SP2 machine - but to my surprise this was a false alarm.

The Windows Filtering Platform has blocked a bind to a local port.
Application Information:
Process ID:  976
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address:  fe80::58b4:5ea5:fc97:b422
Source Port:  546
Protocol:  17
Filter Information:
Filter Run-Time ID: 0
Layer Name:  Resource Assignment
Layer Run-Time ID: 38

As you can see, Filter Run-Time ID is equal to 0. Also, the layer name is Resource Assignment.

According to Biao Wang over on MSDN, this is a bug discovered in Windows Filtering Platform:

http://social.msdn.microsoft.com/Forums/en-US/wfp/thread/774026e6-a771-418a-b531-22183ef399f8/

Also this KB article details the symptoms, as well as a hotfix:

http://support.microsoft.com/kb/969257

The root cause is the Windows Filtering Platform is still used by other parts of the OS, like IPSec, even when the firewall service is disabled. Furthermore, firewall filtering rules will still be in effect.

Many of us are accustomed to disabling the Windows Firewall service to disable the firewall, rather than going through firewall.cpl.

The easiest way to resolve this in our environment was to re-enable the Windows Firewall service, and this run firewall.cpl and select Turn Windows Firewall on or off and click "Off (Not Recommended)".