| VID |
28621 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The maximum size of Application Event Log is less than the value defined in your security policy.
The systems should have a sensible Application log size so that the legitimate users can be held accountable for their actions, unauthorized activity can be tracked and system problems can be detected and diagnosed. The improper maximum log size can cause the vulnerability and potential impact such as the belows. If the number of objects to audit increases significantly, the risk of filling the security log to capacity and thus forcing the system to shut down can be caused. Potentially, attackers can overwrite any evidence of their attack by generating a large number of extraneous events. Therefore, you should determine a sensible size by considering the average number of events generated. Microsoft recommend that the maximum combined size for all event logs should not exceed 300MB.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch06.mspx
http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_secinst.asp
http://is-it-true.org/nt/atips/atips28.shtml
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Set the maximum size value of Application Event Log so that it equals or is greater than the value in the current policy.
* To change the maximum event log size by using the Event Viewer):
1. From the Windows Start menu(charms), select Settings, Control Panel, Administrative Tools, and Event Viewer.
2. In the Event Viewer Tree right-click on 'Application Log' and select the Properties.
3. From General tab, set the value of the maximum event log size to a sensible size or the size defined in the security policy.
* To change the maximum event log size by using the registry editor:
1. Open Registry Editor. (From the Windows system Start menu, select Run, type regedit or regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application registry key.
3. Set the value for "MaxSize" entry to a sensible size or the size defined in the security policy.
4. To apply the change, restart the system. |
| Related URL |
CVE-1999-0596 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
2521 (ISS) |
|
