A Windows Filtering Platform filter has been changed - File and Printer Sharing

2

My Windows 2008 R2 server gets hammered tons of login attempts.
I guess somebody is running a Brute Force attack.
Funny enough our MySQL configuration file got deleted last night, so they must have gotten in somehow. But at the same time my event log is fully of these messages:

A Windows Filtering Platform filter has been changed.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:       NT AUTHORITY\LOCAL SERVICE

Process Information:
    Process ID: 1184

Provider Information:
    ID:     {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
    Name:       Microsoft Corporation

Change Information:
    Change Type:    Delete

Filter Information:
    ID:     {3798315c-c633-46ee-8421-89dab23673e9}
    Name:       File and Printer Sharing (Spooler Service - RPC-EPMAP)
    Type:       Not persistent
    Run-Time ID:    3444308

Layer Information:
    ID:     {e1cd9fe7-f4b5-4273-96c0-592e487b8650}
    Name:       ALE Receive/Accept v4 Layer
    Run-Time ID:    44

Callout Information:
    ID:     {00000000-0000-0000-0000-000000000000}
    Name:       -

Additional Information:
    Weight: 10378404878664860156    
    Conditions: 
    Condition ID:   {af043a0a-b34d-4f86-979c-c90371af6e66}
    Match value:    Equal to
    Condition value:    
O:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)


    Condition ID:   {0c1ba1af-5765-453f-af22-a8f791ac775b}
    Match value:    Equal to
    Condition value:    0x0087

    Condition ID:   {46ea1551-2255-492b-8019-aabeee349f40}
    Match value:    Equal to
    Condition value:    0x00000003

    Condition ID:   {ab3033c9-c0e3-4759-937d-5758c65d4ae3}
    Match value:    Equal to
    Condition value:    0x00000003

    Condition ID:   {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
    Match value:    Equal to
    Condition value:    0x06

    Filter Action:  Permit

My hosting company unfortunately is very unresponsive and not very helpful. Their only response is to change my password... Anyone knows what they mean and where they come from? I guess it's the Windows Firewall Rules. But is this normal or what does it mean?

security
windows-server-2008-r2
windows-firewall
asked on Server Fault Dec 11, 2013 by Remy • edited Dec 13, 2013 by (unknown user)

1 Answer

5

You have a bunch of different things all going on in your question. I'll address them separately.


My Windows Server 2008 R2 server gets hammered tons of login attempts. I guess somebody is running a Brute Force attack.

As a general bit of advice: Don't guess. Know. Computer systems are exceedingly complex. A good system administrator should start by identifying all the of symptoms, testing for repeatability, gathering evidence and then making reasonable assumptions about what the underlying problem is. The Guess and Check method will only work if you are very lucky.

You should look through your Event Log and correlate the login attempts with your upstream provider's IDS information. Maybe it's a brute force login attack, maybe it's a service account that had it's password changed, maybe it's an application that no longer has appropriate rights? It could be a lot of things.

Finally and most importantly - Why is your server exposed to the Big Bad Internet at all? You really should have it behind a firewall or a VPN.


Funny enough our MySQL configuration file got deleted last night, so they must have gotten in somehow.

That is kind of funny but again, are you sure it was an intruder? Maybe you accidentally deleted it? Again, Don't Guess. Know. Are you Auditing file access? Ownership changes? You should be able to at least get a better idea of what your configuration file was suddenly changed or missing.


Windows Filtering Platform

Check out MSDN for information about Windows Filtering Platform:

WFP provides APIs so that you can participate in the filtering decisions that occur at several layers in the TCP/IP protocol stack. WFP also integrates and provides support for next-generation firewall features such as authenticated communication and dynamic firewall configuration that is based on an application's use of the Windows Sockets API. This capability is also known as an application-based policy.

I believe the example you posted is deleting the PERMIT filter for the File and Printer Sharing (Spooler Service - RPC-EPMAP). If you do a bit more reading you should be able to confirm that. I don't think this particular event is related to your possible security issues (which doesn't mean other WFP events are not!).


Is your server compromised?

Before you ring the alarms, do some investigation, engage your support options, and confirm that your server has indeed been compromised. Go read the canonical question on the subject to help your through the process: How do I deal with a compromised server?. Good luck!

answered on Server Fault Dec 13, 2013 by (unknown user) • edited Apr 13, 2017 by Community

User contributions licensed under CC BY-SA 3.0