Auditing of 'Audit account logon events' events on success should be enabled or disabled as appropriate. enabled/disabled (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountLogon' and precedence=1 CCE-2628 Worksheet: Audit Policy Settings; Row: 56 Setting Index #15: This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. oval:org.secpod.oval:def:14741 HIPAA/HITECH Act Jericho Forum BITS Shared Assessments SIG v6.0 FedRAMP Security Controls(Final Release Jan 2012)--LOW IMPACT LEVEL-- ISO/IEC 27001-2005 COBIT 4.1 GAPP (Aug 2009) NERC CIP NIST SP800-53 R3 AU-2 PCIDSS v2.0 FedRAMP Security Controls(Final Release Jan 2012)--MODERATE IMPACT LEVEL-- BITS Shared Assessments AUP v5.0 CCE Version 4.2 2008-02-15 Microsoft Security Compliance Management Toolkit for Windows 7, Windows 7 Security Baseline Settings.xlsm 2009-10-01 Microsoft Security Compliance Management Toolkit for Windows 7, Windows 7 Security Baseline.xml 2009-10-01 SCAP Repo OVAL Definition 2013-08-13 HIPAA/HITECH Act 2012-10-12 Jericho Forum 2012-10-12 BITS Shared Assessments SIG v6.0 2012-10-12 ISO/IEC 27001-2005 2012-10-12 COBIT 4.1 2012-10-12 GAPP (Aug 2009) 2012-10-12 NERC CIP 2012-10-12 NIST SP800-53 R3 2012-10-12 PCIDSS v2.0 2012-10-12 BITS Shared Assessments AUP v5.0 2012-10-12