Auditing of registry key HKEY_LOCAL_MACHINE\SOFTWARE must meet minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36725	WN08-GE-000006-01	SV-48374r1_rule	ECAR-3	Medium

Description
Improper modification of the registry can render a system useless. Modifications to the registry can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the registry provides a method of determining the responsible party.

STIG	Date
Windows 8 Security Technical Implementation Guide	2013-02-15

Details

Check Text ( C-45043r1_chk )
Verify system level auditing of object access is properly configured (see V-26545 "Object Access - Registry"). If this is not configured to audit "Failure", this requirement is a finding. Verify detailed registry auditing is configured: Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE". On the menu bar, select "Edit" then "Permissions". Click on the "Advanced" button. Select the "Auditing" tab. Verify the following is configured. Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys If the "Everyone" group, at a minimum is not being audited for all Failures, this is a finding.

Check Text ( C-45043r1_chk )

Verify system level auditing of object access is properly configured (see V-26545 "Object Access - Registry"). If this is not configured to audit "Failure", this requirement is a finding.

Verify detailed registry auditing is configured:
Run "Regedit".
Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE".
On the menu bar, select "Edit" then "Permissions".
Click on the "Advanced" button.
Select the "Auditing" tab.
Verify the following is configured.
Type - Fail
Name - Everyone
Access - Full Control
Apply to - This key and subkeys

If the "Everyone" group, at a minimum is not being audited for all Failures, this is a finding.

Fix Text (F-41505r1_fix)
Configure "HKEY_LOCAL_MACHINE\SOFTWARE" to audit the Everyone Group for all Failures. Propagate audit settings to subkeys.