Recently I was busy troubleshooting some Kerberos authentication issues in my test environment. The Security Log on the test DC was totally cluttered with event id’s ‘5152, 5157, 5159 …’ and and event source of ‘Filtering Platform Connection’.
The events were presumably coming from the Windows Firewall so went ahead and disabled it, but only to find the the events kept on coming. Here are the commands used to prevent the events from being logged.
Output the current setting
C:\Users\Administrator>Auditpol /get /subcategory:"Filtering Platform Connection"
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection Success and Failure
Turn off the Auditing
C:\Users\Administrator>Auditpol /set /subcategory:"Filtering Platform Connection" /failure:disable The command was successfully executed. C:\Users\Administrator>Auditpol /set /subcategory:"Filtering Platform Connection" /success:disable The command was successfully executed.
Output the current setting
C:\Users\Administrator>Auditpol /get /subcategory:"Filtering Platform Connection"
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection No Auditing
Now I can see the events I need without having all this damn clutter! Okay, now back to the original problem and troubleshooting Kerberos!
Further reading
The following article provides a method to rollout detailed security auditing settings to a group of machines using group policy.
SILK SPUN 
Leave a comment