deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 14:53:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
5fb14baed461c901b0cb2d8a7f7a800de0a6dddb
windows-itpro-docs/windows/device-security/auditing/event-4949.md
Brian Lich 33c3fb2e74 New TOC for docs.microsoft.com
2017-04-19 14:12:47 -07:00

68 lines
2.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10)
description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4949(S): Windows Firewall settings were restored to the default values.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4949.png" alt="Event 4949 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
***Event Description:***
This event generates when Windows Firewall settings were locally restored to the default configuration.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4949</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13571</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T23:38:28.804003300Z" />
<EventRecordID>1049926</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="3768" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData />
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 4949(S): Windows Firewall settings were restored to the default values.
- You shouldnt see this event during normal Windows Firewall operations, because it should be intentionally done by user or software. This event should be always monitored and an alert should be triggered, especially on critical computers or devices.
- This event can be helpful in case you want to monitor all changes of Firewall rules which were done locally, especially restores to default configuration.
Reference in New Issue View Git Blame Copy Permalink