Good Day All,
We have a "work group" server running "Windows 2016 Standard" edition in "DMZ Zone". Application team remotely trying to discover this server in to their application console using discovery methods one as "WMI" and the other as "winrm". In both the cases, server is not getting discoverable and we could see below security audit failure in the security log.
Symantec antivirus client is running on the server and hence, Local firewall is in stopped state on OS level but the "windows firewall service" is in running state. I have also stopped "Symantec Endpoint service" and asked app team to discover it again. but no luck and still same error.
1) The user id configured for communication between app and server is having local admin rights on server.
2) we could see successful audit log for the user id during discovery.
3) Tried by restarting WMI service but no luck. also rebuilt wbem and tried
4) port 5985 is telnetting from application server
Please find the event details below and help me fixing the issue.........thanQ!!!
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/27/2021 5:12:01 PM
Event ID: 4957
Task Category: MPSSVC Rule-Level Policy Change
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxxxxxxxxxxxxxxx
Description:
Windows Firewall did not apply the following rule:
Rule Information:
ID: PrivateNetwork Inbound Default Rule
Name: PrivateNetwork Inbound Default Rule
Error Information:
Reason: Remote Addresses resolved to an empty set.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4957</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13571</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2021-08-27T07:12:01.119209900Z" />
<EventRecordID>39566259</EventRecordID>
<Correlation ActivityID="{981E48DA-918B-0002-0649-1E988B91D701}" />
<Execution ProcessID="660" ThreadID="12528" />
<Channel>Security</Channel>
<Computer>xxxxxxxxxxxxxxx</Computer>
<Security />
</System>
<EventData>
<Data Name="RuleId">PrivateNetwork Inbound Default Rule</Data>
<Data Name="RuleName">PrivateNetwork Inbound Default Rule</Data>
<Data Name="RuleAttr">Remote Addresses</Data>
</EventData>
</Event>