Unauthorized accounts must not have the Manage auditing and security log user right.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-26496	WN12-UR-000032	SV-53039r1_rule	ECLP-1	Medium

Description
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering.

STIG	Date
Windows Server 2012 Domain Controller Security Technical Implementation Guide	2014-01-07

Details

Check Text ( C-47345r1_chk )
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: Administrators If the site has an Auditors group that further limits this privilege this would not be a finding.

Check Text ( C-47345r1_chk )

Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".

Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:

Administrators

If the site has an Auditors group that further limits this privilege this would not be a finding.

Fix Text (F-45965r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Manage auditing and security log" to only include the following accounts or groups: Administrators