Event Details
User Activity->Network and Firewall Tracking->Windows Firewall->Windows 2000-2003->EventID 848 - The following policy was active when the Windows Firewall started [Win 2003 / XP]
EventID 848 - The following policy was active when the Windows Firewall started [Win 2003 / XP]
 Sample: 
Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change
Event ID:       848
Date:           12/16/2009
Time:           06:50:28
User:           NT AUTHORITY\SYSTEM
Computer:       DC1
Description:    
The following policy was active when the Windows Firewall started.

Group Policy applied: No
Profile used: Standard
Interface: All interfaces
Operational mode: Off
Services:
     File and Printer Sharing: Disabled
     Remote Desktop: Disabled
     UPnP Framework: Disabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
     Log dropped packets: Disabled
     Log successful connections Disabled
ICMP:
     Allow incoming echo request: Disabled
     Allow incoming timestamp request: Disabled
     Allow incoming mask request: Disabled
     Allow incoming router request: Disabled
     Allow outgoing destination unreachable: Disabled
     Allow outgoing source quench: Disabled
     Allow outgoing parameter problem: Disabled
     Allow outgoing time exceeded: Disabled
     Allow redirect: Disabled
     Allow outgoing packet too big: Disabled
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Windows XP
Category Policy Change
Source Security
EventId 848
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. User
What The type of activity occurred (e.g. Logon, Password Changed, etc.) Category
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Low" Low
WhoDomain -
WhereDomain -
Comments
You must be logged in to comment