The file system must be audited for failed access attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1080	2.007	SV-25134r2_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
Improper modification of system files can have a significant impact on the security configuration of a system as well as potentially rendering a system inoperable. Failed access attempts may indicate an attack on a system. Auditing for failed access attempts provides an indicator of such attempts and a method of determining responsible parties.

STIG	Date
Windows 7 Security Technical Implementation Guide	2015-09-02

Details

Check Text ( C-45824r2_chk )
If "Object Access -> File System" auditing is not properly configured (V-26544), or if drives are not formatted with NTFS (V-1081), this is a finding. If "Global Object Access Auditing" of the file system has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding. Use the AuditPol tool to review the current configuration. Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "Auditpol /resourceSACL /type:File /view". ("File" in the /type parameter is case sensitive). The following results should be displayed. Entry: 1 Resource Type: File User: Everyone Flags: Failure Accesses: FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_DELETE_CHILD FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES DELETE READ_CONTROL WRITE_DAC WRITE_OWNER The command was successfully executed. Alternately, file auditing may be configured through Windows Explorer. If configured as follows, this is not a finding. For each drive on the system, view the file auditing configuration. Open Windows Explorer. Right click a drive and select "Properties". Select the "Security" tab. Click "Advanced". Select the "Auditing" tab. Click "Continue" to view auditing properties. Verify the following. Type - Fail Name - Everyone Access - Full control Apply to - This folder, subfolders and files

Check Text ( C-45824r2_chk )

If "Object Access -> File System" auditing is not properly configured (V-26544), or if drives are not formatted with NTFS (V-1081), this is a finding.

If "Global Object Access Auditing" of the file system has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding.

Use the AuditPol tool to review the current configuration.
Open a Command Prompt with elevated privileges ("Run as Administrator").
Enter "Auditpol /resourceSACL /type:File /view". ("File" in the /type parameter is case sensitive).

The following results should be displayed.

Entry: 1
Resource Type: File
User: Everyone
Flags: Failure
Accesses:
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER

The command was successfully executed.

Alternately, file auditing may be configured through Windows Explorer. If configured as follows, this is not a finding.

For each drive on the system, view the file auditing configuration.
Open Windows Explorer.
Right click a drive and select "Properties".
Select the "Security" tab.
Click "Advanced".
Select the "Auditing" tab.
Click "Continue" to view auditing properties.
Verify the following.

Type - Fail
Name - Everyone
Access - Full control
Apply to - This folder, subfolders and files

Fix Text (F-43216r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> "File system" to audit the "Everyone" group for all "Failed" categories.