Check to see who changed a Windows Firewall rule

Posted on 2012-09-19
Last Modified: 2012-10-11
Is there a way in Server 2008 to check WHO changes Windows Firewall rules?  I enabled Audit Policy Change for Success and Failure and then Audit Process Tracking for Success and Failure.  I can see changes are made to rules and other WF activity but not who actually changes the rule.  An example of an entry is here.  But note no mention of a user account making the change or even a SID.  Running Server 2008 R2.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/19/2012 12:26:06 PM
Event ID:      4947
Task Category: MPSSVC Rule-Level Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
A change was made to the Windows Firewall exception list. A rule was modified.
Profile Changed:      All

Modified Rule:
      Rule ID:      {5FBC8261-58F1-4397-8699-A7BBA101FC91}
      Rule Name:      Allow SSH from Internal
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2012-09-19T18:26:06.801556600Z" />
    <Correlation />
    <Execution ProcessID="468" ThreadID="1856" />
    <Security />
    <Data Name="ProfileChanged">All</Data>
    <Data Name="RuleId">{5FBC8261-58F1-4397-8699-A7BBA101FC91}</Data>
    <Data Name="RuleName">Allow SSH from Internal</Data>
Question by:sedberg1
    LVL 87

    Expert Comment

    You can probably check your security event logs for who was logged on at around the same time, and then based on those users you can check which one has administrative rights. As you won't have too many users with those rights you should at least be able to narrow the list, if not pinpoint it to one user.
    LVL 21

    Accepted Solution

    LVL 60

    Expert Comment

    May not be directly but consider enabling this [1] and if need be enable login/logoff audit policy to the system to correlate the timing the FW policy events [2] were modified


    You may also want to know why the user was able to access this resource. In Windows Server 2008 R2 and Windows 7, you can obtain this forensic data by configuring the Audit Handle Manipulation setting along with either the Audit File System or Audit Registry audit settings.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now