Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1088 | 3.010 | SV-32249r2_rule | ECAR-3 | Medium |
Description |
---|
Improper modification of the Registry can render a system useless. Modifications to the Registry can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the Registry provides a method of determining the responsible party. |
STIG | Date |
---|---|
Windows Server 2008 R2 Member Server Security Technical Implementation Guide | 2012-07-02 |
Check Text ( C-32851r2_chk ) |
---|
Verify system level auditing of object access is properly configured (see V-26545 “Object Access - Registry”). If this is not configured to audit “Failure”, this requirement is a finding. Verify detailed registry auditing is configured. Run “Regedit”. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select “Edit” then “Permissions”. Click on the “Advanced” button. Select the “Auditing” tab. Verify the following is configured: Type – Fail Name – Everyone Access – Full Control Apply to – This key and subkeys If the “Everyone” group, at a minimum is not being audited for all failures, this is a finding. |
Fix Text (F-28953r1_fix) |
---|
Configure the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys to audit the Everyone Group for all failures. Audit settings should be propagated to subkeys. |