Detections
Analytics

1.1.1.3.5 Set 'Maximum security log size' to '81920'

Information

This policy setting specifies the maximum size of the System event log. In Windows Vista and Windows Server 2008 this setting has been replaced by another called System, located at

Computer Configuration\Administrative Templates\Windows Components\Event Log Service. If both this setting and the new one are configured the settingat

Computer Configuration\Administrative Templates\Windows Components\Event Log Service will take precedence. If you significantly increase the number of objects to audit in your organization, there is a risk that the Security log will reach its capacity and force the computer to shut down if you enabled the Audit: Shut down system immediately if unable to log security audits setting. If such a shutdown occurs, the computer will be unusable until an administrator clears the Security log. To prevent such a shutdown, you can disable the Audit: Shut down system immediately if unable to log security audits setting that is described in Chapter 5, 'Security Options,' and increase the Security log size. Alternatively, you can configure automatic log rotation as described in the Microsoft Knowledge Base article 'The event log stops logging events before reaching the maximum log size' at http://support.microsoft.com/default.aspx?kbid=312571.

Solution

To implement the recommended configuration state, set the following Group Policy setting to 81920.

Computer Configuration\Windows Settings\Security Settings\Event Log\Maximum security log size

Impact- When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft Operations Manager (MOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CCE|CCE-3343-1, CSCv6|6.3

Plugin: Windows

Control ID: 84942d47adca2afd14ac03bd8d542530c96832639563252d72377c86e668d74c