Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1077 | 2.001 | SV-29200r2_rule | ECTP-1 | Medium |
Description |
---|
Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper access permissions are not applied. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2015-03-09 |
Check Text ( C-51979r1_chk ) |
---|
Verify the permissions for the Windows event logs. If the permissions for these files are not as restrictive as the permissions listed below, this is a finding. The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder. Administrators - Read & Execute "Auditors" group - Full Control SYSTEM - Full Control Note: See V-1137 for the Auditors group requirement. |
Fix Text (F-53859r1_fix) |
---|
Configure the access permissions on the event logs to the following: The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder. Administrators - Read & Execute "Auditors" group - Full Control SYSTEM - Full Control |