| VID |
27082 |
| Severity |
30 |
| Port |
135 |
| Protocol |
TCP |
| Class |
WMI |
| Detailed Description |
If the audit setting is not established or audit level is too low, it cannot help to figure out the reason and use a enough evidence for legal countermeasure. But if audit level is too high, too many unnecessary log is saved. It may give confusion with critical items and critical effect to system performance, so you should set log option properly according to legal requirement and policy of the organization.
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
[Windows Server 2003]
1.Start> Run> SECPOL.MSC> Local Policies> Audit Policy
-Log on and log off, replace security policy: success / failure audit
-Use user rights, manage users and groups: audit failure
Logon events: generate an event in the security log of the computer where the logon attempt was made whenever a user logs on or logs off the computer
Account Logon Event: Logon Attempt Logged to Domain Controller When User Logs On to Domain
Account management: used to determine when a user or group was created, changed, or deleted
Object Access: Enabling Auditing for All Objects in a Windows 2000-Based Network with System Access Control Lists (SACLs) To display events in the security log, first enable object access auditing, and then define SACLs for each object to be audited.
Directory service access: Generate an audit entry when a user listed in the SACL of an Active Directory object attempts to access that object
Privilege Use: Generate an event whenever you try to exploit a user's privileges if you audit the success or failure of the privilege usage.
Process tracing: If you audit detailed tracing information about a running process, check the attempts to create the process in the event log and attempt to terminate it.
System events: System events are generated when a user or process changes the computer environment, and security log deletion time is audited when auditing system events
Policy changes: audit success and failure of audit policy changes
[Windows Server 2008, 2012, 2016, 2019]
1.Start> Run> SECPOL.MSC> Local Policies> Audit Policy
-Log on and log off, replace security policy: success / failure audit
-Use user rights, manage users and groups: audit failure
¡Ø account management, permission usage, directory service: failure
¡Ø Account logon, logon event, policy change: success, failure |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
