| VID |
28307 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
System Event Auditing is turned off. System Event Auditing records events affecting system security such as security log full or system shutdown and restart. Without System Event Auditing, there would be no record of when the host was started or stopped.
Event Auditing is needed to help secure your servers. Through Event Auditing you are able to watch for potential break-in attempts, changes in your security policy, violations to your security policy, and so on. These events appear in the Event Viewer Security Log.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.intersectalliance.com/projects/Win2kConfig/Windows2000Config-9.0.html
* Platforms Affected:
Windows Any version |
| Recommendation |
To enable auditing of System Events, follow the steps below appropriate for your platform.
For Windows NT:
1. Open User Manager. (From the Windows NT Start menu, select Programs, Administrative Tools (Common), and User Manager.)
2. From the Policies menu, select Audit to display the Audit Policy dialog box.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
For a Windows 2000 domain:
1. Start Microsoft Management Console (mmc). From the Windows Start menu, select Run, type mmc, and click OK.
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit System Events.
6. Check the events on Success and Failure you wish to audit, and then click on "OK".
For a stand-alone Windows 2000 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. (The focus is local computer by default)
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit System Events.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. (The focus is local computer by default)
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit System Events.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
* Note: Be aware that Group Policy settings will override Local Policy Settings. |
| Related URL |
CVE-1999-0575 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
226 (ISS) |
|
