Generate security audits
|ID: oval:org.secpod.oval:def:40227||Date: (C)2017-04-25 (M)2018-03-15|
|Class: COMPLIANCE||Family: windows|
This policy setting determines which users or processes can generate audit records in the Security log.
When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.
Ensure that only the Service and Network Service accounts have the Generate security audits user right assigned to them.
None. This is the default configuration.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits
(2) REG: NO INFO
|Microsoft Windows Server 2016|