4954 Windows Firewall Group Policy settings have changed and were applied
Written when Windows Firewall Group Policy settings change and the new settings are applied. It captures firewall configuration changes via GPO.
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when firewall-related Group Policy settings change and the new settings are applied to the machine.
How it is triggered
- When firewall settings are updated in domain Group Policy and reflected on the target machine.
Security review points
- Firewall setting changes via GPO take broad effect. If an attacker tampers with a domain GPO to loosen or disable the firewall, the defenses of all machines under it weaken at once. Together with GPO changes (5136, etc.), check the applied settings.
- Unlike a per-machine setting change 4950, it indicates a bulk change originating from policy.
Notes for log review
- It occurs during legitimate GPO updates. Check the applied settings (whether in the disabling/loosening direction).
- Note GPO applications that weaken the firewall, and cross-reference with the GPO’s own change history.
Key fields
| Field | Meaning |
|---|---|
| Applied settings | The new firewall settings |
Profile | The target profile |