Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1080 | WN12-AU-000114 | SV-52842r1_rule | ECAR-1 ECAR-2 ECAR-3 | Medium |
Description |
---|
Improper modification of system files can have a significant impact on the security configuration of a system, as well as potentially rendering a system inoperable. Failed access attempts may indicate an attack on a system. Auditing for failed access attempts provides an indicator of such attempts and a method of determining responsible parties. |
STIG | Date |
---|---|
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide | 2014-06-30 |
Check Text ( C-47159r2_chk ) |
---|
If "Object Access -> File System" auditing is not properly configured (V-26544), or if drives are not formatted with NTFS (V-1081), this is a finding. If "Global Object Access Auditing" of the file system has not been configured to audit all failed access attempts for the "Everyone" group, this is a finding. Use the AuditPol tool to review the current configuration. Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "Auditpol /resourceSACL /type:File /view". ("File" in the /type parameter is case sensitive). The following results should be displayed: Entry: 1 Resource Type: File User: Everyone Flags: Failure Condition: Accesses: FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_DELETE_CHILD FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES DELETE READ_CONTROL WRITE_DAC WRITE_OWNER The command was successfully executed. |
Fix Text (F-45768r2_fix) |
---|
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> "File system" with the following: Principal: Everyone Type: Fail Permissions: all categories selected If this is configured on a domain controller, in local or group policy, do not set any conditions limiting the scope. |