Auditing of Object Access: Filtering Platform Connection events on success should be enabled or disabled as appropriate. This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume. Events for this subcategory include: - 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network. - 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. - 5155 : The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. - 5156: The Windows Filtering Platform has allowed a connection. - 5157: The Windows Filtering Platform has blocked a connection. - 5158: The Windows Filtering Platform has permitted a bind to a local port. - 5159: The Windows Filtering Platform has blocked a bind to a local port. Refer to the Microsoft Knowledgebase article Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226. Fix: (1) GPO: Commandline: auditpol.exe (2) REG: NO INFO