18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'

Information

This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created.

The recommended state for this setting is: Enabled

Note: This feature that this setting controls was not originally supported in server OSes older than Windows Server 2012 R2. However, in February 2015 Microsoft added support for the feature to Windows Server 2008 R2 and Windows Server 2012 (non-R2) via an update -

KB3004375

. Therefore, this setting is also important to set on those older OSes.

Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation\Include command line in process creation events

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).

Impact:

Process command line information will be included in the event logs, which can contain sensitive or private information such as passwords or user data.

Warning: There are potential risks of capturing credentials and sensitive information which could be exposed to users who have read-access to event logs. Microsoft provides a feature called 'Protected Event Logging' to better secure event log data. For assistance with protecting event logging, visit:

About Logging Windows - PowerShell | Microsoft Docs

.

See Also

https://workbench.cisecurity.org/benchmarks/16913

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CSCv7|8.8

Plugin: Windows

Control ID: 9aaffdc9f7b2a82dbc69862929f0214b6ab75aea93484827f928e7c285bc3f5c