Windows Security Log Event ID 852

Operating Systems Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista		 4946 , 4947 , 4948  

852: A change has been made to the Windows Firewall port exception list

On this page

Windows logs this event when an administrator changes the local policy of the Windows Firewall or a group policy refresh results in a change to the effective Windows Firewall policy - specifically exception rules that allow traffic through.

Free Security Log Resources by Randy

Description Fields in 852

  • Policy origin: Local Policy or Group Policy
  • Profile changed: Stnadard or Domain
  • Interface: NICs or "All interfaces"
  • Change type: Add/Remove/Modify

New Settings:

  • Name: Name of the port
  • Port number: Port number
  • Protocol: TCP or UDP
  • State: Enabled or Disabled
  • Scope: custom scope or "All subnets" or "Local subnet"

Old Settings:

  • Name: Name of the port
  • Port number: Port number
  • Protocol: TCP or UDP
  • State: Enabled or Disabled
  • Scope: custom scope or "All subnets" or "Local subnet"

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 852

A change has been made to the Windows Firewall port exception list

Policy origin: Local Policy
Profile changed: -
Interface: PublicNet
Change type: Add
New Settings:
     Name: -
     Port number: 3389
     Protocol: TCP
     State: Enabled
     Scope: All subnets
Old Settings:
     Name: -
     Port number: -
     Protocol: -
     State: -
     Scope: -

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!