Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Check to see who changed a Windows Firewall rule

Posted on 2012-09-19
Medium Priority
Last Modified: 2012-10-11
Is there a way in Server 2008 to check WHO changes Windows Firewall rules?  I enabled Audit Policy Change for Success and Failure and then Audit Process Tracking for Success and Failure.  I can see changes are made to rules and other WF activity but not who actually changes the rule.  An example of an entry is here.  But note no mention of a user account making the change or even a SID.  Running Server 2008 R2.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/19/2012 12:26:06 PM
Event ID:      4947
Task Category: MPSSVC Rule-Level Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      tstnts2.internal.com
A change was made to the Windows Firewall exception list. A rule was modified.
Profile Changed:      All

Modified Rule:
      Rule ID:      {5FBC8261-58F1-4397-8699-A7BBA101FC91}
      Rule Name:      Allow SSH from Internal
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2012-09-19T18:26:06.801556600Z" />
    <Correlation />
    <Execution ProcessID="468" ThreadID="1856" />
    <Security />
    <Data Name="ProfileChanged">All</Data>
    <Data Name="RuleId">{5FBC8261-58F1-4397-8699-A7BBA101FC91}</Data>
    <Data Name="RuleName">Allow SSH from Internal</Data>
Question by:sedberg1
LVL 88

Expert Comment

ID: 38416723
You can probably check your security event logs for who was logged on at around the same time, and then based on those users you can check which one has administrative rights. As you won't have too many users with those rights you should at least be able to narrow the list, if not pinpoint it to one user.
LVL 22

Accepted Solution

dan_blagut earned 2000 total points
ID: 38416840
LVL 66

Expert Comment

ID: 38417917
May not be directly but consider enabling this [1] and if need be enable login/logoff audit policy to the system to correlate the timing the FW policy events [2] were modified

[1] http://blogs.msdn.com/b/ericfitz/archive/2010/07/16/auditing-changes-to-audit-policy.aspx
[1] http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx#BKMK_7

You may also want to know why the user was able to access this resource. In Windows Server 2008 R2 and Windows 7, you can obtain this forensic data by configuring the Audit Handle Manipulation setting along with either the Audit File System or Audit Registry audit settings.

[2] http://technet.microsoft.com/en-us/library/dd772750(v=ws.10).aspx

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question