Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

What is Audit Filtering Platform Policy Change?

Audit Filtering Platform Policy Change is a security policy setting that allows IT administrators to keep track of certain IPSec and Windows Filtering Platform (WFP) actions.

Windows Filtering Platform (WFP) makes it possible for independent software vendors (ISVs) to monitor or authorize connections, and filter and modify TCP/IP packets. It also allows filtering of Internet Protocol security (IPsec)-protected traffic, and remote procedure calls (RPCs).

Upon enabling Audit Filter Platform Policy Change setting, audit logs will be generated for the following events:
  • Windows Filtering Platform engine and providers status.
  • Changes to Windows Filtering Platform engine and providers.
  • IPsec services status.
  • Changes to IPsec settings.
  • IPsec Policy Agent service activities.

Steps to Audit Filtering Platform Policy Change using Native Active Directory

Step 1: Enable required audit policies
  • Launch Server Manager in your Windows Server instance.
  • Under Manage, select Group Policy Management and launch the Group Policy Management console.
  • Navigate to Forest ➔ Domain ➔ Your domain ➔ Domain Controllers.
  • Create a new GPO or edit any existing GPO ➔ Navigate to Computer Configuration ➔ Windows Settings ➔ Security Settings ➔ Advanced Audit Policy Configuration ➔ Policy Change.
  • The Object Access lists all of its sub-policies in the right panel, as shown in the figure below.
  • Select the Audit Filtering Platform Policy Change and enable audit for both Success and Failure events.
  • Click Apply and OK to close Properties window.
Step 2: View events in Event Viewer
  • In Event Viewer window, go to Windows Logs ➔ Security logs.
  • Click on Filter current log under Action in the right panel, search for the desired event ID from the list found below.
  • The following are some of the events that will be generated if Audit Filtering Platform Policy is enabled:
    • 4709 - Signifies the start of IPsec Services.
    • 4710 - Signifies that IPSec Services was disabled.
    • 4712 - IPsec Services encountered a potentially serious failure.
    • 5040 - An Authentication Set was added in IPSec Settings.
    • 5041 - An Authentication Set was modified in IPSec Settings.
    • 5042 - An Authentication Set was deleted in IPSec Settings.
    • 5043 - A Connection Security Rule was added in IPSec Settings.
    • 5044 - A Connection Security Rule was modified in IPSec Settings.
    • 5045 - A Connection Security Rule was deleted in IPSec Settings.
    • 5046 - A Crypto Set was added in IPSec Settings.
    • 5047 - A Crypto Set was modified in IPSec Settings.
    • 5048 - A Crypto Set was deleted in IPSec Settings.
    • 5440 - Shows the callout that was present when the Windows Filtering Platform Base Filtering Engine started.
    • 5441 - Displays the filter that was present when the Windows Filtering Platform Base Filtering Engine started.
    • 5442 - Shows the provider that was present when the Windows Filtering Platform Base Filtering Engine started.
    • 5443 - Displays the provider context that was present when the Windows Filtering Platform Base Filtering Engine started.
    • 5444 - Presents the sub-layer that was present when the Windows Filtering Platform Base Filtering Engine started.
    • 5446 - A Windows Filtering Platform callout has been changed.
    • 5448 - A Windows Filtering Platform provider has been changed.
    • 5449 - A Windows Filtering Platform provider context has been changed.
    • 5450 - A Windows Filtering Platform sub-layer has been changed.
    • 5456 - PAStore Engine applied Active Directory storage IPsec policy on the computer.
    • 5457 - PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
    • 5458 - PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
    • 5459 - PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
    • 5460 - PAStore Engine applied local registry storage IPsec policy on the computer.
    • 5461 - PAStore Engine failed to apply local registry storage IPsec policy on the computer.
    • 5462 - PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
    • 5463 - PAStore Engine polled for changes to the active IPsec policy and detected no changes.
    • 5464 - PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
    • 5465 - PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
    • 5466 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
    • 5467 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
    • 5468 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
    • 5471 - PAStore Engine loaded local storage IPsec policy on the computer.
    • 5472 - PAStore Engine failed to load local storage IPsec policy on the computer.
    • 5473 - PAStore Engine loaded directory storage IPsec policy on the computer.
    • 5474 - PAStore Engine failed to load directory storage IPsec policy on the computer.
    • 5477 - PAStore Engine failed to add quick mode filter.
  • You can double-click on the events to view Event Properties.

Native auditing becoming a little too much?

Simplify policy changes auditing and reporting with ADAudit Plus.

Get Your Free Trial

Fully functional 30-day trial

You can double-click on the events to view Event Properties.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track advanced audit policy settings and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the GLBA. To learn more, visit https://www.manageengine.com/active-directory-audit/

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote