An Auditors group has not been created to restrict access to the Windows Event Logs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1137	1.010	SV-29779r1_rule	ECTP-1	Medium

Description
The Security Event Log contains information on security exceptions that occur on the system. This data is critical for identifying security vulnerabilities and intrusions. The Application and System logs can also contain information that is critical in assessing security events. Therefore, these logs must be protected from unauthorized access and modification. An Auditors group will be used to restrict access to auditing through the User Right “Manage auditing and security log” (V-1103) and for assigning permissions to event logs (V-1077). Only individuals who have auditing responsibilities (IAO, IAM, auditors, etc.) should be members of this group. The individual System Administrators responsible for maintaining this system can also be members of this group.

Description

The Security Event Log contains information on security exceptions that occur on the system. This data is critical for identifying security vulnerabilities and intrusions. The Application and System logs can also contain information that is critical in assessing security events. Therefore, these logs must be protected from unauthorized access and modification. An Auditors group will be used to restrict access to auditing through the User Right “Manage auditing and security log” (V-1103) and for assigning permissions to event logs (V-1077). Only individuals who have auditing responsibilities (IAO, IAM, auditors, etc.) should be members of this group. The individual System Administrators responsible for maintaining this system can also be members of this group.

STIG	Date
Windows 2008 Domain Controller Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-7886r1_chk )
Interview the SA to determine if an Auditors group for controlling the Windows Event Logs has been created. NOTE: The administrator(s) responsible for the installation and maintenance of the individual system(s) must be a member(s) of the Auditors group. This will permit the responsible administrator to enable and configure system auditing, and perform maintenance functions related to the logs. Administrators who are not responsible for maintenance on an individual system will not be included in the Auditors group.

Check Text ( C-7886r1_chk )

Interview the SA to determine if an Auditors group for controlling the Windows Event Logs has been created.

NOTE: The administrator(s) responsible for the installation and maintenance of the individual system(s) must be a member(s) of the Auditors group. This will permit the responsible administrator to enable and configure system auditing, and perform maintenance functions related to the logs. Administrators who are not responsible for maintenance on an individual system will not be included in the Auditors group.

Fix Text (F-34r1_fix)
Create an Auditors group for controlling the Windows Event Logs and assign the necessary rights and access controls.