Event ID 857 – The Windows Firewall setting to allow remote administration, allowing port TCP 135 and DCOM/RPC, has changed.
When the remote administration settings of Windows Firewall are changed, event ID 857 is logged by Windows. Such a change is usually instituted by an administrator or a group policy refresh.
This log data provides the following information:
- Policy Origin
- Profile Changed
- New Settings - Allow remote administration
- Old Settings - Allow remote administration
Why does event ID 857 need to be monitored?
All changes with regards to Windows Firewall need to be monitored since unplanned or unauthorized changes need immediate investigation. It could be a sign of malicious activity.
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 857 applies to the following operating systems:
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4950.
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools