Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1088 | 3.010 | SV-32249r3_rule | ECAR-3 | Medium |
Description |
---|
Improper modification of the registry can have a significant impact on the security configuration of a system as well as potentially rendering a system inoperable. Failed access attempts may indicate an attack on a system. Auditing for failed access attempts provides an indicator of such attempts and a method of determining responsible parties. |
STIG | Date |
---|---|
Windows Server 2008 R2 Member Server Security Technical Implementation Guide | 2014-01-07 |
Check Text ( C-45828r2_chk ) |
---|
If "Object Access -> Registry" auditing is not properly configured (V-26545), this is a finding. If "Global Object Access Auditing" of the registry has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding. Use the AuditPol tool to review the current configuration. Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "Auditpol /resourceSACL /type:Key /view". ("Key" in the /type parameter is case sensitive). The following results should be displayed. Entry: 1 Resource Type: Key User: Everyone Flags: Failure Accesses: KEY_ALL_ACCESS Alternately, registry auditing may be configured through the registry editor. If configured as follows, this is not a finding. Run "Regedit". Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select "Edit", then "Permissions". Click on the "Advanced" button. Select the "Auditing" tab. Verify the following. Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys |
Fix Text (F-43220r1_fix) |
---|
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> "Registry" with the following. Principal: Everyone Type: Fail Permissions: all categories selected |