|Event Description||The Windows Firewall Logging Settings Have Changed|
|Relevant OS||Windows Vista, Windows Server 2008|
|For other OS versions.||Use Event ID 854 for Windows XP and Windows Server 2003|
|Vendor Classification||Windows Policy Change; note the Windows Firewall is also referred to as MPSSVC|
Cause : This event is logged when the firewall settings are changed within a Group Policy, Local Policy or changed within the Standard or Domain profiles. Changes at an logging level may include dropped and accepted connections.
Analysis : It is fairly rare that enterprises change the Windows firewall settings other than during the initial setup of a system. In a hacker situation, disabling logging or deleting logging after a compromise is a standard process as to limit awareness of the activity. Clearly this activity also negatively impacts a companies ability to perform forensics as well.
Special Note: We have seen several situations where a admin, or an application install by an admin, disable or modify the Windows Firewall. Admin’s must be very careful to make sure the Windows Firewall is enabled, and tuned appropriately, after administrative duties on a system.
Appropriate party should immediately take action to restore logging of Windows Firewall Events. If the change took place outside of authorized process or activity, strong scrutiny should be applied and research should be performed to make sure malicious activity was taken during the time logging was turned off.
Customers Only. Shown in the service portal.
|Last Reviewed or Updated||4/14/2015|
SAVANTURE’s Event Definitions Microsoft Event ID 4950
©2014 SAVANTURE – Enterprises, vendors and 3rd Parties may freely point users to this content, however content cannot be copied or used outside of this webpage. If content is framed, this disclaimer must also be included and credited to SAVANTURE, Inc. at www.savanture.com.