Windows Security Log Event ID 852

Operating Systems Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4946 , 4947 , 4948  

852: A change has been made to the Windows Firewall port exception list

On this page

Windows logs this event when an administrator changes the local policy of the Windows Firewall or a group policy refresh results in a change to the effective Windows Firewall policy - specifically exception rules that allow traffic through.

Free Security Log Resources by Randy

Description Fields in 852

  • Policy origin: Local Policy or Group Policy
  • Profile changed: Stnadard or Domain
  • Interface: NICs or "All interfaces"
  • Change type: Add/Remove/Modify

New Settings:

  • Name: Name of the port
  • Port number: Port number
  • Protocol: TCP or UDP
  • State: Enabled or Disabled
  • Scope: custom scope or "All subnets" or "Local subnet"

Old Settings:

  • Name: Name of the port
  • Port number: Port number
  • Protocol: TCP or UDP
  • State: Enabled or Disabled
  • Scope: custom scope or "All subnets" or "Local subnet"

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 852

A change has been made to the Windows Firewall port exception list

Policy origin: Local Policy
Profile changed: -
Interface: PublicNet
Change type: Add
New Settings:
     Name: -
     Port number: 3389
     Protocol: TCP
     State: Enabled
     Scope: All subnets
Old Settings:
     Name: -
     Port number: -
     Protocol: -
     State: -
     Scope: -

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources