刚刚安装了 Windows Server 2008R2 SP1,想看看它是否能解决这个问题,但并没有。在管理员登录到域控制器之前,有很多事件表明 WFP 阻止了从 Server60 到 Server60 或从 Server60 到 Server70 的连接。server60 和 server70 都是域控制器。管理员登录后,WFP 事件停止。
防火墙在 GPO 中默认处于关闭状态。是的,我知道 WFP 在启动过程中启动,直到防火墙接管,或者在我的情况下没有接管(自 Vista 以来),但我显然不应该自动登录到域控制器并调用自动锁定或类似的东西。
示例事件
级别 = 信息源 = Microsoft Windows 安全审计 EventID = 5152 “过滤平台数据包丢弃” 及其邪恶孪生 ID = 5157 “过滤平台连接”
"The Windows Filtering platform has blocked a connection."
Direction %%14593
SourceAddress 192.168.10.60
SourcePort 49677
DestAddress 192.168.10.60
DestPort 389
Protocol 6
FilterRTID 65667
LayerName %%14611
LayerRTID 48
RemoteUserID S-1-0-0
RemoteMachineID S-1-0-0
windows-server-2008-r2 WFP BFE WindowsFilteringPlatform BaseFilteringEngine
答案1
您可以使用以下命令禁用此功能:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable
auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
答案2
要在非英语版本的 Windows Server 或桌面上禁用 WFP,请使用 GUID 方式命名:
@auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
@auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
@auditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
@auditpol /set /subcategory:{0CCE9218-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
@auditpol /set /subcategory:{0CCE9219-69AE-11D9-BED3-505054503030} /success:disable /failure:disable
@auditpol /set /subcategory:{0CCE921A-69AE-11D9-BED3-505054503030} /success:disable /failure:disable