Ensure Audit Success and Failure for 'Object Access: Audit SAM'ID: oval:org.secpod.oval:def:14802 | Date: (C)2013-08-13 (M)2022-10-10 |
Class: COMPLIANCE | Family: windows |
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects.
SAM objects include the following:
SAM_ALIAS - A local group.
SAM_GROUP - A group that is not a local group.
SAM_USER - A user account.
SAM_DOMAIN - A domain.
SAM_SERVER - A computer account.
If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified.
Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=121698).
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit SAM events on failure
(2) REG: INFO NOT AVAILABLE
Platform: |
Microsoft Windows 7 |