Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1088 | 3.010 | SV-29631r2_rule | ECAR-3 | Medium |
Description |
---|
Improper modification of the Registry can render a system useless. Modifications to the Registry can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the Registry provides a method of determining the responsible party. |
STIG | Date |
---|---|
Windows 2008 Member Server Security Technical Implementation Guide | 2015-09-02 |
Check Text ( C-41199r1_chk ) |
---|
Verify system level auditing of object access is properly configured (see V-6850 “Object access - Registry”). If this is not configured to audit “Failure”, this requirement is a finding. Verify detailed registry auditing is configured. Run “Regedit”. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select “Edit” then “Permissions”. Click on the “Advanced” button. Select the “Auditing” tab. Verify the following is configured: Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys If the “Everyone” group, at a minimum is not being audited for all failures, this is a finding. |
Fix Text (F-28953r1_fix) |
---|
Configure the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys to audit the Everyone Group for all failures. Audit settings should be propagated to subkeys. |