The registry must be audited for failed access attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1088	3.010	SV-25135r3_rule	ECAR-3	Medium

Description
Improper modification of the registry can have a significant impact on the security configuration of a system as well as potentially rendering a system inoperable. Failed access attempts may indicate an attack on a system. Auditing for failed access attempts provides an indicator of such attempts and a method of determining responsible parties.

STIG	Date
Windows 7 Security Technical Implementation Guide	2014-06-27

Details

Check Text ( C-45827r2_chk )
If "Object Access -> Registry" auditing is not properly configured (V-26545), this is a finding. If "Global Object Access Auditing" of the registry has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding. Use the AuditPol tool to review the current configuration. Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "Auditpol /resourceSACL /type:Key /view". ("Key" in the /type parameter is case sensitive). The following results should be displayed. Entry: 1 Resource Type: Key User: Everyone Flags: Failure Accesses: KEY_ALL_ACCESS Alternately, registry auditing may be configured through the registry editor. If configured as follows, this is not a finding. Run "Regedit". Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select "Edit", then "Permissions". Click on the "Advanced" button. Select the "Auditing" tab. Verify the following. Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys

Check Text ( C-45827r2_chk )

If "Object Access -> Registry" auditing is not properly configured (V-26545), this is a finding.

If "Global Object Access Auditing" of the registry has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding.

Use the AuditPol tool to review the current configuration.
Open a Command Prompt with elevated privileges ("Run as Administrator").
Enter "Auditpol /resourceSACL /type:Key /view". ("Key" in the /type parameter is case sensitive).

The following results should be displayed.

Entry: 1
Resource Type: Key
User: Everyone
Flags: Failure
Accesses:
KEY_ALL_ACCESS

Alternately, registry auditing may be configured through the registry editor. If configured as follows, this is not a finding.

Run "Regedit".
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys.
On the menu bar, select "Edit", then "Permissions".
Click on the "Advanced" button.
Select the "Auditing" tab.
Verify the following.

Type - Fail
Name - Everyone
Access - Full Control
Apply to - This key and subkeys

Fix Text (F-43219r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> "Registry" with the following. Principal: Everyone Type: Fail Permissions: all categories selected