4950 A Windows Firewall setting has changed
Written when a Windows Firewall setting (such as profile behavior) is changed. It captures changes to the firewall’s overall settings rather than individual rules.
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when firewall profile settings (enabled/disabled, default inbound/outbound behavior, notification settings, and so on) are changed. Separately from rule add/modify/delete (4946 to 4948), it indicates a change to the overall settings.
How it is triggered
- Enabling/disabling a profile (Domain/Private/Public), changing default behavior, and so on.
Security review points
- Disabling the firewall (turning a profile Off) is a hallmark of defense evasion. An attacker may change settings to remove communication restrictions in bulk, so investigate changes in the disabling direction at top priority.
- Changes such as setting the default inbound behavior to “allow” or altering logging settings also reduce defenses/visibility. Check which profile’s what was changed.
Notes for log review
- It also occurs during legitimate configuration changes (GPO application, etc.). Check the changed profile, setting item, and direction (enable/disable).
- Alerting narrowed to firewall disabling or loosening of default behavior is effective.
Key fields
| Field | Meaning |
|---|---|
Profile | The changed profile |
| Changed setting | Enabled/disabled, default behavior, etc. |
Modifying Application | The process that made the change |