Global object access auditing of the registry must be configured to record failures.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| WN12-AU-000116 | WN12-AU-000116 | WN12-AU-000116_rule | Medium |
| Description |
|---|
| Improper modification of the registry can have a significant impact on the security configuration of a system, as well as potentially rendering a system inoperable. Failed access attempts may indicate an attack on a system. Auditing for failed access attempts provides an indicator of such attempts and a method of determining responsible parties. |
| STIG | Date |
|---|---|
| Microsoft Windows Server 2012 Member Server Security Technical Implementation Guide | 2013-07-25 |
Details
| Check Text ( C-WN12-AU-000116_chk ) |
|---|
| If "Object Access -> Registry" auditing is not properly configured (V-26545), this is a finding. If "Global Object Access Auditing" of the registry has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding. Use the AuditPol tool to review the current configuration. Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "Auditpol /resourceSACL /type:Key /view". ("Key" in the /type parameter is case sensitive). The following results should be displayed: Entry: 1 Resource Type: Key User: Everyone Flags: Failure Condition Accesses: KEY_ALL_ACCESS |
| Fix Text (F-WN12-AU-000116_fix) |
|---|
| Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> "Registry" with the following: Principal: Everyone Type: Fail Permissions: all categories selected |