2.2.49 Ensure 'Manage auditing and security log' is set to 'Administrators' (STIG DC only)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines which users can change the auditing options for files and directories and clear the Security log.

For environments running Microsoft Exchange Server, the Exchange Servers group must possess this privilege on Domain Controllers to properly function. Given this, DCs that grant the Exchange Servers group this privilege also conform to this benchmark. If the environment does not use Microsoft Exchange Server, then this privilege should be limited to only Administrators on DCs.

The STIG recommended state for this setting is: Administrators.

Note: This user right is considered a 'sensitive privilege' for the purposes of auditing.

Note #2: The CIS recommended state for this setting is: Administrators and (when Exchange is running in the environment) Exchange Servers, which differs from the STIG recommended state.

Rationale:

The ability to manage the Security event log is a powerful user right and it should be closely guarded. Anyone with this user right can clear the Security log to erase important evidence of unauthorized activity.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, configure the following UI path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log

Default Value:

Administrators.

Additional Information:

Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020

Vul ID: V-205643
Rule ID: SV-205643r569188_rule
STIG ID: WN19-UR-000170
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3345