STIGQter: STIG Summary: Microsoft Windows Server 2019 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.

DISA Rule

SV-205731r569188_rule

Vulnerability Number

V-205731

Group Title

SRG-OS-000257-GPOS-00098

Rule Version

WN19-AU-000060

Severity

CAT II

CCI(s)

• CCI-001494 - The information system protects audit tools from unauthorized modification.
• CCI-001495 - The information system protects audit tools from unauthorized deletion.

Weight

10

Fix Recommendation

Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement:

TrustedInstaller - Full Control
Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute

The default location is the "%SystemRoot%\System32" folder.

Check Contents

Navigate to "%SystemRoot%\System32".

View the permissions on "Eventvwr.exe".

If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding.

The default permissions below satisfy this requirement:

TrustedInstaller - Full Control
Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute

Vulnerability Number

V-205731

Documentable

False

Rule Version

WN19-AU-000060

Severity Override Guidance

Navigate to "%SystemRoot%\System32".

View the permissions on "Eventvwr.exe".

If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding.

The default permissions below satisfy this requirement:

TrustedInstaller - Full Control
Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute

Check Content Reference

M

Target Key

2907

Comments