Robert Paresi said:
Hello,
The message I got was:
========
Logged: 5/18/2007 7:47:05 AM
Windows Firewall was unable to notify the user that it blocked an
application from accepting incoming connections on the network.
Error Code: 2
=======
But, the Firewall shows this:
2007-05-18 07:47:05 ALLOW UDP 10.0.0.117 10.0.0.1 123 123 0 - - - - - - -
SEND
2007-05-18 07:47:05 ALLOW UDP 10.0.0.117 10.0.0.1 49200 53 0 - - - - - - -
SEND
2007-05-18 07:47:05 ALLOW TCP 10.0.0.117 10.0.0.1 49181 445 0 - 0 0
0 - - - SEND
2007-05-18 07:47:05 ALLOW ICMP 10.0.0.117 10.0.0.1 - - 0 - - - - 8 0 -
SEND
2007-05-18 07:47:05 ALLOW UDP 127.0.0.1 239.255.255.250 49201 3702
0 - - - - - - - RECEIVE
2007-05-18 07:47:05 ALLOW UDP ::1 ff02::c 49202 3702 0 - - - - - - -
RECEIVE
As you can see, everything at that time didn't have any bad messages -
only ALLOW.
Yes, it would be true that you wouldn't see any outbound, since it was
blocked.
That's why you can use CurrPort to see if you can see something.
You can also turn on auditing, which is on a NT class O/S such as Vista and
has a lot of ways to audit things, like what objects or programs are
starting and ending. use Google and look it up.
Advanced Security Settings
Enable Auditing on your Workstations
While this is a fairly normal practice for servers, it isn't usually
performed on workstations unless there is a high risk of data theft. Our
philosophy is that the time to fix the roof is before it starts to rain. By
selectively auditing a few key actions, you'll have a place to start
investigating theft or destruction of data if someone ever does compromise
your workstation. We recommend auditing the following actions:
Event Level of Auditing
Account logon events Success, failure
Account management Success, failure
Logon events Success, failure
Object access Success
Policy change Success, failure
Privilege use Success, failure
System events Success, failure
