From ea1cc99ad0382ac14548f32fa241d0f659e424fa Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 18 Jul 2019 11:07:39 -0400 Subject: [PATCH] resolves #4484 #4484 Page does not conform to standards > This page, unlike other audit subcategory pages, has everything after the table of recommendations in giant font (including Feedback at the end), and does not contain any subpages for the individual events > It also has an "In this article" panel on the right, which lists all the events. Commit 8756c9d resulted in the page being reformatted in an odd way. Using other audit pages as a guide, I've removed the headings that caused the events to be rendered in a giant font, and reformatted the events into a simple bulleted list. I've also added back the information on event volume and default value, to make the page conform better. I can't do much for links right now, as these pages do not exist yet. --- .../auditing/audit-ipsec-driver.md | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index e1ea4700ec..3b6cfd4e5d 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -20,7 +20,6 @@ ms.date: 10/02/2018 - Windows 10 - Windows Server 2016 - Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following: - Startup and shutdown of the IPsec services. @@ -39,7 +38,9 @@ A high rate of packet drops by the IPsec filter driver may indicate attempts to Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. -This subcategory is outside the scope of this document. +**Event volume:** Medium + +**Default:** Not configured | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------| @@ -47,25 +48,26 @@ This subcategory is outside the scope of this document. | Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | | Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | -## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. +**Events List:** -## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. +- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. -## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. +- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. -## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. +- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. -## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. +- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. -## 5478(S): IPsec Services has started successfully. +- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. -## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. +- 5478(S): IPsec Services has started successfully. -## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. +- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. -## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started. +- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. -## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. +- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started. -## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. +- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. +- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.