WinSecWiki » Windows Security Settings » Local Policies » Audit Policy » Audit policy change

Other Policy Change Events

whsmith — Tue, 28 Aug 2012 17:25:52 GMT

So far I've only found one event in this category and it should clearly be in the Filtering Platform Policy Change subcategory instead. As with all subcategories you must use auditpol to enable to disable these events.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
5447	A Windows Filtering Platform filter has been changed.

Filtering Platform Policy Change

whsmith — Tue, 28 Aug 2012 17:24:23 GMT

This chatty category documents the current configuration of the Windows Filtering Platform (related for lower level than the Windows Firewall) whenever it starts as well as any changes to it's configuration. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
5440	The following callout was present when the Windows Filtering Platform Base Filtering Engine started
5441	The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442	The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443	The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444	The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
5446	A Windows Filtering Platform callout has been changed.
5448	A Windows Filtering Platform provider has been changed.
5449	A Windows Filtering Platform provider context has been changed.
5450	A Windows Filtering Platform sub-layer has been changed.

MPSSVC Rule-Level Policy Change

whsmith — Tue, 28 Aug 2012 17:22:38 GMT

This chatty category documents the current configuration of the Windows Firewall (aka MPSSVC) whenever it starts as well as any changes to it's configuration. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4944	The following policy was active when the Windows Firewall started.
4945	A rule was listed when the Windows Firewall started.
4946	A change has been made to Windows Firewall exception list. A rule was added.
4947	A change has been made to Windows Firewall exception list. A rule was modified.
4948	A change has been made to Windows Firewall exception list. A rule was deleted.
4949	Windows Firewall settings were restored to the default values.
4950	A Windows Firewall setting has changed.
4951	A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952	Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
4954	Windows Firewall Group Policy settings has changed. The new settings have been applied.
4956	Windows Firewall has changed the active profile.
4957	Windows Firewall did not apply the following rule:
4958	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

Authorization Policy Change

whsmith — Tue, 28 Aug 2012 17:21:14 GMT

I've only isolated a few events logged by this category. Let me know via a discussion post on this event if you know of more. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4704	A user right was assigned.
4705	A user right was removed.
4714	Encrypted data recovery policy was changed.

Authentication Policy Change

whsmith — Tue, 28 Aug 2012 17:16:14 GMT

This category tracks any configuration changes that would impact how user accounts are authenticated although password and lockout policies are conspicuously missing. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4706	A new trust was created to a domain.
4707	A trust to a domain was removed.
4713	Kerberos policy was changed.
4716	Trusted domain information was modified.
4717	System security access was granted to an account.
4718	System security access was removed from an account.
4865	A trusted forest information entry was added.
4866	A trusted forest information entry was removed.
4867	A trusted forest information entry was modified.

Audit Policy Change

whsmith — Tue, 28 Aug 2012 17:11:41 GMT

This category tracks any policy changes that would affect what gets reported to the security log. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4715	The audit policy (SACL) on an object was changed.
4719	System audit policy was changed.
4902	The Per-user audit policy table was created.
4904	An attempt was made to register a security event source.
4905	An attempt was made to unregister a security event source.
4906	The CrashOnAuditFail value has changed.
4907	Auditing settings on object were changed.
4912	Per User Audit Policy was changed.

OVERVIEW: Audit Policy Change

instantasp@gmail.com — Thu, 02 Apr 2009 18:24:59 GMT

The Audit policy change policy provides notification of changes to important security policies on the local system, such as changes to the system’s audit policy or, when the local system is a DC, changes to trust relationships.

The following is an exerpt from my book, The Windows Server Security Log Revealed :

The Policy Change category provides notification of changes to important security policies on the local system, such as to the system’s audit policy or, in the case of DCs, to trust relationships.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

Windows XP, 2000 and 2003: I recommend enabling this policy for success on all computers including workstations. We have not observed any failure events in this category.
Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Policy Change (Windows Server 2008 and Vista).