Detections
Analytics

2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines whether the system shuts down if it is unable to log Security events.

It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them.

Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure.

When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason.

If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur.

The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually).

This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log.

Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result.

Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts.

The recommended state for this setting is: 'Disabled'.

Rationale:

If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident.

Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/files/1933

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5, CCE|CCE-33046-4, CSCv6|6

Plugin: Windows

Control ID: c8509dc33d6300c945242482a9da8e905fb579a9123b53d74dd06f0012f7cf82