WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Patch

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.

Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.

PowerShell 5.x supports script block logging. PowerShell 4.0 with the addition of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 adds support for script block logging.

Satisfies: SRG-OS-000042-GPOS-00021

Solution

Configure the following registry value as specified.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\

Value Name: EnableScriptBlockLogging

Value Type: REG_DWORD
Value: 0x00000001 (1)

Administrative templates from later versions of Windows include a group policy setting for this. Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> 'Turn on PowerShell Script Block Logging' to 'Enabled'.

Install patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 on systems with PowerShell 4.0.

PowerShell 5.x does not require the installation of an additional patch.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_MS_V3R3_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3(1), CAT|II, CCI|CCI-000135, Rule-ID|SV-225264r569185_rule, STIG-ID|WN12-00-000210, STIG-Legacy|SV-95183, STIG-Legacy|V-80475, Vuln-ID|V-225264

Plugin: Windows

Control ID: afcfbb1df38d87c9453023f0ef4b4647f6812904c2906d9d964a177f19fe1ad5