SAVANTURE’s Event Definitions Microsoft Event ID 854

 

Event ID 854
Event Description The Windows Firewall Logging Settings Have Changed
Vendor Microsoft
Relevant OS Windows XP, Windows Server 2003
For other OS versions. Use Event ID 4950 for Windows Vista and Windows Server 2008
Vendor Classification Windows Policy Change; note the Windows Firewall is also referred to as  MPSSVC
CVE Reference(s) None
Bugtraq Reference(s) None
Secunia Reference(s) None
Event Information  

Cause : This event is logged when the firewall settings are changed within a Group Policy, Local Policy or changed within the Standard or Domain profiles.  Changes at an logging level may include dropped and accepted connections.   Analysis : It is fairly rare that enterprises change the Windows firewall settings other than during the initial setup of a system.  In a hacker situation, disabling logging or deleting logging after a compromise is a standard process as to limit awareness of the activity.  Clearly this activity also negatively impacts a companies ability to perform forensics as well. Special Note: We have seen several situations where a admin, or an application install by an admin, disable or modify the Windows Firewall.  Admin’s must be very careful to make sure the Windows Firewall is enabled, and tuned appropriately, after administrative duties on a system.

Resolution  

Appropriate party should immediately take action to restore logging of Windows Firewall Events.  If the change took place outside of authorized process or activity, strong scrutiny should be applied and research should be performed to make sure malicious activity was taken during the time logging was turned off.

 

Additional Details

 

Customers Only.  Shown in the service portal.

Last Reviewed or Updated 4/14/2015
 

SAVANTURE’s Event Definitions Microsoft Event ID 854

 

©2014 SAVANTURE – Enterprises, vendors and 3rd Parties may freely point users to this content, however content cannot be copied or used outside of this webpage.   If content is framed, this disclaimer must also be included and credited to SAVANTURE, Inc. at www.savanture.com.