sedberg1
asked on
Check to see who changed a Windows Firewall rule
Is there a way in Server 2008 to check WHO changes Windows Firewall rules? I enabled Audit Policy Change for Success and Failure and then Audit Process Tracking for Success and Failure. I can see changes are made to rules and other WF activity but not who actually changes the rule. An example of an entry is here. But note no mention of a user account making the change or even a SID. Running Server 2008 R2.
Log Name: Security
Source: Microsoft-Windows-Security
Date: 9/19/2012 12:26:06 PM
Event ID: 4947
Task Category: MPSSVC Rule-Level Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: tstnts2.internal.com
Description:
A change was made to the Windows Firewall exception list. A rule was modified.
Profile Changed: All
Modified Rule:
Rule ID: {5FBC8261-58F1-4397-8699-A
Rule Name: Allow SSH from Internal
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4947</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13571</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000
<TimeCreated SystemTime="2012-09-19T18:
<EventRecordID>4164</Event
<Correlation />
<Execution ProcessID="468" ThreadID="1856" />
<Channel>Security</Channel
<Computer>tstnts2.internal
<Security />
</System>
<EventData>
<Data Name="ProfileChanged">All<
<Data Name="RuleId">{5FBC8261-58
<Data Name="RuleName">Allow SSH from Internal</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security
Date: 9/19/2012 12:26:06 PM
Event ID: 4947
Task Category: MPSSVC Rule-Level Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: tstnts2.internal.com
Description:
A change was made to the Windows Firewall exception list. A rule was modified.
Profile Changed: All
Modified Rule:
Rule ID: {5FBC8261-58F1-4397-8699-A
Rule Name: Allow SSH from Internal
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4947</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13571</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000
<TimeCreated SystemTime="2012-09-19T18:
<EventRecordID>4164</Event
<Correlation />
<Execution ProcessID="468" ThreadID="1856" />
<Channel>Security</Channel
<Computer>tstnts2.internal
<Security />
</System>
<EventData>
<Data Name="ProfileChanged">All<
<Data Name="RuleId">{5FBC8261-58
<Data Name="RuleName">Allow SSH from Internal</Data>
</EventData>
</Event>
rindi
You can probably check your security event logs for who was logged on at around the same time, and then based on those users you can check which one has administrative rights. As you won't have too many users with those rights you should at least be able to narrow the list, if not pinpoint it to one user.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
May not be directly but consider enabling this [1] and if need be enable login/logoff audit policy to the system to correlate the timing the FW policy events [2] were modified
[1] http://blogs.msdn.com/b/ericfitz/archive/2010/07/16/auditing-changes-to-audit-policy.aspx
[1] http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx#BKMK_7
You may also want to know why the user was able to access this resource. In Windows Server 2008 R2 and Windows 7, you can obtain this forensic data by configuring the Audit Handle Manipulation setting along with either the Audit File System or Audit Registry audit settings.
[2] http://technet.microsoft.com/en-us/library/dd772750(v=ws.10).aspx
[1] http://blogs.msdn.com/b/ericfitz/archive/2010/07/16/auditing-changes-to-audit-policy.aspx
[1] http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx#BKMK_7
You may also want to know why the user was able to access this resource. In Windows Server 2008 R2 and Windows 7, you can obtain this forensic data by configuring the Audit Handle Manipulation setting along with either the Audit File System or Audit Registry audit settings.
[2] http://technet.microsoft.com/en-us/library/dd772750(v=ws.10).aspx