3.10.4.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'

Information

This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created.

The recommended state for this setting is: Enabled

Note: This feature that this setting controls was not originally supported in workstation OSes older than Windows 8.1. However, in February 2015 Microsoft added support for the feature to Windows 7 and Windows 8.0 via an update -

KB3004375

. Therefore, this setting is also important to set on those older OSes.

Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled

Administrative Templates\System\Audit Process Creation\Include command line in process creation events

Impact:

Process command line information will be included in the event logs, which can contain sensitive or private information such as passwords or user data.

Warning: There are potential risks of capturing credentials and sensitive information which could be exposed to users who have read-access to event logs. Microsoft provides a feature called 'Protected Event Logging' to better secure event log data. For assistance with protecting event logging, visit:

About Logging Windows - PowerShell | Microsoft Docs

.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CSCv7|16.4

Plugin: Windows

Control ID: 3be09181b044fcb74ece017f5ba5d24ed2bc83ea106a700b68fc8b7023ccb326