| VID |
28303 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
File and Object Access Auditing auditing is turned off. Auditing tracks access to files, directories, registry keys, and other objects (such as printers). Auditing of these events must be enabled both by the security descriptor on the object and in the auditing settings.
Event Auditing is needed to help secure your servers. Through Event Auditing you are able to watch for potential break-in attempts, changes in your security policy, violations to your security policy, and so on. These events appear in the Event Viewer Security Log.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.intersectalliance.com/projects/Win2kConfig/Windows2000Config-9.0.html
* Platforms Affected:
Windows Any version |
| Recommendation |
To enable auditing of File and Object Access, you must perform two tasks:
1. Enable the Audit Policy called "Audit Object Access".
2. Enable auditing on the specific files and folders you wish to audit.
* Note: Object auditing is available only to NTFS objects, not FAT objects. Auditing object access demands large amounts of computing overhead, especially if the object monitored (such as a file or directory) is frequently accessed.
To enable the Audit Policy called "Audit Object Access".
For Windows NT, to implement File and Object Access Auditing at the system level:
1. Open User Manager. (From the Windows NT Start menu, select Programs, Administrative Tools (Common), and User Manager.)
2. From the Policies menu, select Audit to display the Audit Policy dialog box.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
For a Windows 2000 domain, to configure the Audit Object Access Events:
1. Start Microsoft Management Console (mmc). From the Windows Start menu, select Run, type mmc, and click OK.
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit object access.
6. Check the events on Success and Failure you wish to audit, and then click on "OK".
For a stand-alone Windows 2000 computer, to configure the Audit Object Access Events:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. (The focus is local computer by default)
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit object access.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. (The focus is local computer by default)
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit object access.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
To enable auditing on the specific files and folders you wish to audit.
1. Using My Computer or Windows Explorer, go to the object that you want to audit.
2. Right-click the object and select Properties to display the Properties dialog box.
3. Click the Security tab, and then click on the "Advanced" button. If you don't have a Security tab, your are probably not using NTFS. If so, it is strongly recommended that you upgrade to NTFS (using the convert /FS:NTFS command) so that you can use file permissions.
4. Click on the "Auditing" tab, and then click on the "Add" button.
5. Select one of these choices:
o To add a new user or group name, click Add. Add the names from the Add Users and Groups dialog box.
O To modify auditing, select the name and the Success and Failure audits that are required for your security policy.
O To remove auditing, select the name and click Remove.
6. Click OK twice to apply the changes.
* Note: Be aware that Group Policy settings will override Local Policy Settings. |
| Related URL |
CVE-1999-0575 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
228 (ISS) |
|
