CCE-38034-5Platform: cpe:/o:microsoft:windows_server_2012::r2 | Date: (C)2015-10-08 (M)2023-07-04 |
Audit Policy: Account Management: Security Group Management
This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include:
? 4727: A security-enabled global group was created.
? 4728: A member was added to a security-enabled global group.
? 4729: A member was removed from a security-enabled global group.
? 4730: A security-enabled global group was deleted.
? 4731: A security-enabled local group was created.
? 4732: A member was added to a security-enabled local group.
? 4733: A member was removed from a security-enabled local group.
? 4734: A security-enabled local group was deleted.
? 4735: A security-enabled local group was changed.
? 4737: A security-enabled global group was changed.
? 4754: A security-enabled universal group was created.
? 4755: A security-enabled universal group was changed.
? 4756: A member was added to a security-enabled universal group.
? 4757: A member was removed from a security-enabled universal group.
? 4758: A security-enabled universal group was deleted.
? 4764: A group?s type was changed.
Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226.
Parameter:
[success/failure/success_failure/none]
Technical Mechanism:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesAccount Management!Audit Policy: Account Management: Security Group Management
(2) WMI: ###
CCSS Severity: | CCSS Metrics: |
CCSS Score : 6.5 | Attack Vector: LOCAL |
Exploit Score: 0.6 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: HIGH |
Severity: MEDIUM | User Interaction: REQUIRED |
Vector: AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:22812 |