| VID |
28625 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The retention period of Security Event Log is less than the value defined in your security policy.
The systems should enable a sensible Security log's retention period so that the legitimate users can be held accountable for their actions, unauthorized activity can be tracked and system problems can be detected and diagnosed. The improper retention period can cause the vulnerability and potential impact such as the belows. If the number of objects to audit increases significantly, the risk of filling the security log to capacity and thus forcing the system to shut down can be caused. It can lead to important recent events not being recorded or to a DoS attack. To set this value, you make sure that the maximum log size is large enough to accommodate the interval. The possible retention method for event log:
- Overwrite events as needed : The event logs are not archived.
- Overwrite events by days : The number in days between 1 and 365 is defined..
- Do not overwrite events(clear log manually) : If the logs are cleared manually, new events are discarded.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch06.mspx
http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_secinst.asp
http://is-it-true.org/nt/atips/atips28.shtml
* Platforms Affected:
Microsoft Windows 2000, XP, 2003 |
| Recommendation |
Set the retention period value of Security Event Log so that it equals or is greater than the value in the current policy.
* To change the retention period by using the Event Viewer.
1. From the Windows Start menu, select Settings, Control Panel, Administrative Tools, and Event Viewer.
2. In the Event Viewer Tree right-click on 'Security Log' and select the Properties.
3. From General tab, select the retention method defined in the security policy.
4. If 'Overwrite events by days' is selected, set the day to the value defined in the security policy.
* To change the retention period by using the registry editor.
1. Open Registry Editor. (From the Windows system Start menu, select Run, type regedit or regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security registry key.
3. Set the value for "Retention" entry to the value defined in the security policy.
- Overwrite events as needed : 0
- Overwrite events by days : 1 - 31536000(365days) (second)
- Do not overwrite events(clear log manually) : 4294967295
4. To apply the change, restart the system. |
| Related URL |
CVE-1999-0596 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
2579 (ISS) |
|
