[Forgot Password]
Login  Register Subscribe

23631

 
 

122183

 
 

98060

 
 

909

 
 

79198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-43211-2

Platform: win10Date: (C)2016-09-23   (M)2017-10-23



Ensure No Auditing for 'Audit Policy: Policy Change: Filtering Platform Policy Change' This subcategory reports the addition and removal of objects from WFP, including startup filters. These events can be very high in volume. Events for this subcategory include: - 4709: IPsec Services was started. - 4710: IPsec Services was disabled. - 4711: May contain any one of the following: - PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. - PAStore Engine applied Active Directory storage IPsec policy on the computer. - PAStore Engine applied local registry storage IPsec policy on the computer. - PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. - PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. - PAStore Engine failed to apply local registry storage IPsec policy on the computer. - PAStore Engine failed to apply some rules of the active IPsec policy on the computer. - PAStore Engine failed to load directory storage IPsec policy on the computer. - PAStore Engine loaded directory storage IPsec policy on the computer. - PAStore Engine failed to load local storage IPsec policy on the computer. - PAStore Engine loaded local storage IPsec policy on the computer. - PAStore Engine polled for changes to the active IPsec policy and detected no changes. - 4712: IPsec Services encountered a potentially serious failure. - 5040: A change has been made to IPsec settings. An Authentication Set was added. - 5041: A change has been made to IPsec settings. An Authentication Set was modified. - 5042: A change has been made to IPsec settings. An Authentication Set was deleted. - 5043: A change has been made to IPsec settings. A Connection Security Rule was added. - 5044: A change has been made to IPsec settings. A Connection Security Rule was modified. - 5045: A change has been made to IPsec settings. A Connection Security Rule was deleted. - 5046: A change has been made to IPsec settings. A Crypto Set was added. - 5047: A change has been made to IPsec settings. A Crypto Set was modified. - 5048: A change has been made to IPsec settings. A Crypto Set was deleted. - 5440: The following callout was present when the Windows Filtering Platform Base Filtering Engine started. - 5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started. - 5442: The following provider was present when the Windows Filtering Platform Base Filtering Engine started. - 5443: The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. - 5444 : The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. - 5446: A Windows Filtering Platform callout has been changed. - 5448: A Windows Filtering Platform provider has been changed. - 5449: A Windows Filtering Platform provider context has been changed. - 5450: A Windows Filtering Platform sub-layer has been changed. - 5456: PAStore Engine applied Active Directory storage IPsec policy on the computer. - 5457: PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. - 5458 : PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. - 5459: PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. - 5460: PAStore Engine applied local registry storage IPsec policy on the computer. - 5461: PAStore Engine failed to apply local registry storage IPsec policy on the computer. - 5462: PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. - 5463: PAStore Engine polled for changes to the active IPsec policy and detected no changes. - 5464: PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. - 5465: PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. - 5466: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. - 5467: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. - 5468: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. - 5471: PAStore Engine loaded local storage IPsec policy on the computer. - 5472: PAStore Engine failed to load local storage IPsec policy on the computer. - 5473: PAStore Engine loaded directory storage IPsec policy on the computer. - 5474: PAStore Engine failed to load directory storage IPsec policy on the computer. - 5477: PAStore Engine failed to add quick mode filter. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: http://support.microsoft.com/kb/947226. Counter Measure: Enable Audit policy settings that support the organizational security policy for all the computers in your organization. Identify the components that you need for an audit policy that enables your organization to hold users accountable for their actions while using organizational resources and enables IT departments to detect unauthorized activity efficiently and then track those events in log files. Potential Impact: If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities.


Parameter:


Technical Mechanism: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Filtering Platform Policy Change

References:

Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:35506


OVAL    1
oval:org.secpod.oval:def:35506
XCCDF    4
xccdf_org.secpod_benchmark_general_Windows_10
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_10
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10
...

© 2013 SecPod Technologies