Audit: Shut down system immediately if unable to log security audits

Information

Audit: Shut down system immediately if unable to log security audits

This security setting determines whether the system shuts down if it is unable to log security events.

If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days.

If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:

STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.
To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log is not full.

Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.

Solution

Policy Path: Local Policies\Security Options
Policy Name: Audit: Shut down system immediately if unable to log security audits

See Also

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(4), CSCv6|6

Plugin: Windows

Control ID: 49eac55a339206b374bd2514ef9e9ec983433bf7e03e627045a6fdb98d48c9a7