Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5159 Source: Microsoft-Windows-Security-Auditing

Description
The Windows Filtering Platform has blocked a bind to a local port.

Application Information:
Process ID: 2328
Application Name: \device\harddiskvolume1\windows\system32\cpqmgmt\cqmghost\cqmghost.exe

Network Information:
Source Address: 0.0.0.0
Source Port: 52264
Protocol: 17

Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
Comments
 
This event can be recorded repeatedly if you disable Windows Firewall for the Domain profile, the Private profile and the Public profile and you enable the "Filtering Platform Connection" audit policy. A hotfix is availble  - see ME969257 for details.

From a Microsoft support forum: "We recently discovered a bug in WFP (Windows Filtering Platform) which erroneously spews out audits about  blocking "bind to a local port" while the bind() call are in fact permitted.

The symptom is that, as some of you observed, the "FilterRTID" field is 0. The bug manifests when there is no filter registered at WFP ALE_RESOURCE_ASSIGNMENT layers.

We are fixing this issue in Windows 7. For Vista, you can ignore the audit entry if FilterRTID is 0 for ALE_RESOURCE_ASSIGNMENT layers block audit events."

For troubleshooting purposes (I would highly recommend against this config in a production environment) you can turn off the BFE (Base Filtering Engine) service. This has the implication of disabling IPsec and many firewall / filtering products.  Your better option is to configure whatever firewall product is on the system that is causing the block.
The T754714 article how to enable/disable the security events.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...