Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 852 - A change has been made to the Windows Firewall port exception list [Win 2003 / XP]
EventID 852 - A change has been made to the Windows Firewall port exception list [Win 2003 / XP]
This event indicates that a change was successfully made to the list of exceptions rules (specifically exception rules that allow traffic through specified ports via specified protocols) of the Windows Firewall. The change was made either through the local policy or via a group policy propagation.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2008

 Sample:
Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change
Event ID:       852
Date:           12/16/2009
Time:           06:52:05
User:           NT AUTHORITY\SYSTEM
Computer:       DC1
Description:    
A change has been made to the Windows Firewall port exception list.

Policy origin: Local Policy
Profile changed: Standard
Interface: All interfaces
Change type: Modify
New Settings:
     Name: NetBIOS Name Service
     Port number: 137
     Protocol: UDP
     State: Enabled
     Scope: Local subnet only
Old Settings:
     Name: NetBIOS Name Service
     Port number: 137
     Protocol: UDP
     State: Disabled
     Scope: Local subnet only
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Windows XP
Category Policy Change
Source Security
EventId 852
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Policy origin Indicates whether Windows Firewall was getting its settings from Group Policy or the system's local policy. InsertionString1 Local Policy
Profile changed Standard or Domain. Domain profile is applied when the computer is on its "home" network, Standard profile is applied when the computer is not connected to its "home" network, e.g. out travelling and connected to public internet via Wi-Fi. InsertionString2 Standard
Interface Displays Network Interface Cards this firewall setting is configured for. InsertionString3 All interfaces
Change type Type of change to the exception list: exception added, removed, or modified InsertionString4 Modify
New Name New value for the service name corresponding to the port changed InsertionString5 NetBIOS Name Service
New Port number New value for the port number through which traffic is allowed InsertionString6 137
New Protocol New value for the protocol type (UDP or TCP) via which traffic is allowed InsertionString7 UDP
New State New value for the state of the exception rule: Enabled or Disabled InsertionString8 Enabled
New Scope New value for the scope of the exception rule: IP address or subnet mask to which the rule applies InsertionString9 Local subnet only
Old Name Old value for the service name corresponding to the port changed InsertionString10 NetBIOS Name Service
Old Port number Old value for the port number through which traffic is allowed InsertionString11 137
Old Protocol Old value for the protocol type (UDP or TCP) via which traffic is allowed InsertionString12 UDP
Old State Old value for the state of the exception rule: Enabled or Disabled InsertionString13 Disabled
Old Scope Old value for the scope of the exception rule: IP address or subnet mask to which the rule applies InsertionString14 Local subnet only
Comments
You must be logged in to comment