Event ID 861 - OUTLOOK11.EXE Firewall issue

[Guest]

Any time that I start Outlook and periodically throughout the day, I get the
below event in my security logs. What could be causing this? The link in
the event does not pull any info.

Thanks
J


Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 3/3/2005
Time: 11:47:05 AM
User: <DOMAIN\Username>
Computer: <computername>
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process identifier: 2608
User account: <my account>
User domain: <DOMAINNAME>
Service: No
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1122
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Amanda Wang [MSFT]]

Hi J,

Thanks for posting.

Your detailed error information as following:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 3/3/2005
Time: 11:47:05 AM
User: <DOMAIN\Username>
Computer: <computername>
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process identifier: 2608
User account: <my account>
User domain: <DOMAINNAME>
Service: No
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1122
Allowed: No
User notified: No

Based on my research, even though Windows XP firewall is "turned off", the
service is still running. If your security auditing policy includes
auditing of failures for "audit process tracking", your security event logs
will be filling up quickly. If you want the events to go away, the only
solutions I have found so far are to turn off the auditing or to stop the
Windows Firewall/ICS service.

To turn off the auditing:

The Default Domain Policy was configured to push the following changes
(Computer
Configuration->Windows Settings->Security Settings->Local Policies/Audit
Policy):

Policy Setting
Audit account logon events Failure
Audit account management Success, Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Failure
Audit system events Failure

I recommended the following changes:

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined
Audit object access Not Defined

To stop the Windows Firewall/ICS service:

Go to Start -> Run -> services.msc. Find Windows Firewall in the list,
double-click on it, set "Startup type" to "Disabled", and press Stop if it
is running.

Please take your time in trying the suggestion. If there is anything
unclear or any other questions about this issue, please feel free to let me
know. I'm looking forward to your reply.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================================

 

[Guest]

Hi Amanda, thanks for the reply.

So here is the deal. The firewall is enabled, and I have added several
exceptions for vaious programs like Ghost and eTrust Anti-Virus. I
understand what you are saying about the Audit Policy, but two things come to
mind. First off, What is OUTLOOK11.EXE doing that it is generating errors in
the event log. And second, I have admin rights on the local workstation and
the domain, I would say what ever it is that OUTLOOK is attempting to do is
not related to permissions regarding audit trails.

My concern is this, by turning off those audit features, I miss other events
that potentially could be important. Rather it seems like many companies
have figured out, there are certain programs or ports that NEED to be open in
order for the software to run, like eTrust Anti-Virus as mentioned above.

So that creates two other questions, OUTLOOK11.EXE as an exception...why not
find out what Outlook is attempting to do? Is there an explaination of this?

THanks
J

Hi J,

Thanks for posting.

Your detailed error information as following:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 3/3/2005
Time: 11:47:05 AM
User: <DOMAIN\Username>
Computer: <computername>
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process identifier: 2608
User account: <my account>
User domain: <DOMAINNAME>
Service: No
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1122
Allowed: No
User notified: No

Based on my research, even though Windows XP firewall is "turned off", the
service is still running. If your security auditing policy includes
auditing of failures for "audit process tracking", your security event logs
will be filling up quickly. If you want the events to go away, the only
solutions I have found so far are to turn off the auditing or to stop the
Windows Firewall/ICS service.

To turn off the auditing:

The Default Domain Policy was configured to push the following changes
(Computer
Configuration->Windows Settings->Security Settings->Local Policies/Audit
Policy):

Policy Setting
Audit account logon events Failure
Audit account management Success, Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Failure
Audit system events Failure

I recommended the following changes:

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined
Audit object access Not Defined

To stop the Windows Firewall/ICS service:

Go to Start -> Run -> services.msc. Find Windows Firewall in the list,
double-click on it, set "Startup type" to "Disabled", and press Stop if it
is running.

Please take your time in trying the suggestion. If there is anything
unclear or any other questions about this issue, please feel free to let me
know. I'm looking forward to your reply.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================================

 

[Pavel Lebedinsky]

Here's one possible reason:

http://support.microsoft.com/?kbid=883555

 

[Guest]

Hmmm...sounds like it could be what is going on. Let me ask you, based on
the the 2 methods recommended, which one would you say is a better approach.

To put Outlook as an Exception (or)
To change the listening port from UDP to RPC?

From a security standpoint, would it seem that I am opening myself up to
more issues if I were to allow outlook as an exception?

Optionally, Outlook must be using a specific UDP port for what is described
in the KB, I know that the firewall can have Port Exceptions, what are your
thoughts on allowing only the UDP port for Outlook? (or are the port
exceptions more global, meaning that I can't specify a program, and would be
opening up the computer more so?)

Some thoughts...thanks for the reply.

J

 

[Pavel Lebedinsky]

I would add an exception for Outlook. I don't know the details of this
but it seems like Outlook will listen for incoming requests whether
you use RPC or UDP so the risk level is about the same.

You can also try setting the scope of the exception to your local subnet,
or even just the IP address of your Exchange server.

 

[Amanda Wang [MSFT]]

Hi J,

Thanks for your response and let me know your concerns on this issue. Also
sorry for delaying because I am ill these days.

Firstly, from the event item:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking

Description:
The Windows Firewall has detected an application listening for incoming
traffic.

We can see the event should be created by Detailed Tracking, it is not
initiated by Outlook.

Basically, when Outlook starts, it will register one UDP port (above 1024)
for some transmission, for example, new email notification. The port number
is dynamic. If you restart Outlook or computer, the port number may be
changed.

IP protocol: UDP
Port number: 1122
Allowed: No
User notified: No

The above information indicates that the UDP package may not be allowed.

Therefore, I want to confirm with you if there are any problems in Outlook.

Based on the points above, I agree with our MVP-Pavel's suggestion that
adding an exception for Outlook in Microsoft Windows Firewall.

For more references:

The following KB articles address the UDP issues that Windows SP2 can cause.

839226 The Outlook Find feature and the new mail notifications do not work
http://support.microsoft.com/?id=839226

883555 E-mail messages remain in your Outbox folder longer than expected in
http://support.microsoft.com/?id=883555

I hope the information is helpful. If you have any new findings or further
concerns regarding this issue, please feel free to let me know. I'm very
glad to be of assistance.

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================