Registry key auditing configuration must meet minimum requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| WN08-GE-000006 | WN08-GE-000006 | WN08-GE-000006_rule | Medium |
| Description |
|---|
| Improper modification of the registry can render a system useless. Modifications to the registry can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the registry provides a method of determining the responsible party. |
| STIG | Date |
|---|---|
| Windows 8 Security Technical Implementation Guide | 2012-11-21 |
Details
| Check Text ( C-WN08-GE-000006_chk ) |
|---|
| Verify system level auditing of object access is properly configured (see V-26545 "Object Access - Registry"). If this is not configured to audit "Failure", this requirement is a finding. Verify detailed registry auditing is configured: Run "Regedit". Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select "Edit" then "Permissions". Click on the "Advanced" button. Select the "Auditing" tab. Verify the following is configured: Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys If the "Everyone" group, at a minimum is not being audited for all Failures, this is a finding. |
| Fix Text (F-WN08-GE-000006_fix) |
|---|
| Configure the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys to audit the Everyone Group for all Failures. Propagate audit settings to subkeys. |