PingSentry   |   Blog   |   System32   |   GitHub   |   Free tools

How can I be alerted if Microsoft Windows Firewall policies change and/or Firewall is Disabled?

Article ID: 429
Category: Monitoring
Updated: 2020-05-29

Windows Firewall policy changes, like new program exceptions, enabling/disabling/deleting policies can be monitored and detected with EventSentry, along to detection when firewall is disabled.

Enabling Policies Changes Audit

In order to monitor Microsoft Windows Firewall policy changes, the subcategory MPSSVC rule-level Policy Change under the main category Policy Change will need to be audited. This can be accomplished via group policy (recommended) or by running the following command as Administrator:

auditpol.exe /set /category:"Policy Change" /subcategory:"MPSSVC rule-level Policy Change" /success:enable /failure:enable

Enabling Audit Events for Windows Firewall

Events IDs

With auditing enabled, the events below will get logged to the security event log based on the changes made:

  • 4946 Policy is Added/Created
  • 4947 Policy is Modified/Enabled/Disabled
  • 4948 Policy is Deleted
  • 4950 Windows Firewall setting was changed

Filters Creation

An include filter must be created for each of the above event IDs to ensure that an email alert gets generated for each of the scenarios (Added/Created, Modified/Enabled/Disabled and Deleted along with Microsoft Firewall being disabled).

Policy Changes

Right-click "Event Logs" and click "Add Package" and label this new package, "Firewall Changes."

Creating a new package

Right-click on the newly created package and select "Add New Filter" and label this new filter, "Firewall Policy Deleted."

Creating a new filter

Enter the following details for the newly created filter:
1) Actions: Default Email (to get notified via email when this event takes place)
2) Log: Security
3) Event Severity: Audit Success
4) Event Source: Microsoft-Windows-Security-Auditing
5) Category: MPSSVC Rule-Level Policy Change
6) Event ID: 4948.

Repeat these steps to create two more filters for Event ID 4947 and 4946, note that filters can be copied and pasted in the management console.

Filter Content for ID 4948

Filter Content for ID 4947

Filter Content for ID 4946

Detecting when the Windows Firewall is disabled

Right-click on the newly created package "Firewall Changes" and select "Add New Filter" and label this new filter, "Firewall Disabled."

Enter the following details for the newly created filter:

1) Actions: Default Email (to get notified via email when this event takes place)
2) Log: Security
3) Event Severity: Audit Success
4) Event Source: Microsoft-Windows-Security-Auditing
5) Category: MPSSVC Rule-Level Policy Change
6) Event ID: 4950.
7) Under group "Content Filter & Notes" click on "+"and select Insertion string match", Insertion String: 3 and matches. In content Filter type "No"

Filter Content for ID 4950

Assigning package to a Host or Group

Don't forget to assign the package to a host or group. From the left tree, select a group or a host, from the right menu "Assign Packages...," then choose the "Firewall Changes" package. Click Home/Save to save the configuration.

Assigning package to a host

Example Email


Support Resources

Knowledge Base Knowledge Base
Documentation Documentation
Screenshot Screencasts
Blog Blog

Contact Support

Phone 1-877-NETIKUS
Email support@netikus.net

Tags

firewall microsoft window firewall windows firewall firewall policies firewall auditing