STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Member Server Security Technical Implementation Guide Version: 1 Release: 30 Benchmark Date: 26 Jul 2019: Permissions for event logs must conform to minimum requirements.

DISA Rule

SV-32246r2_rule

Vulnerability Number

V-1077

Group Title

Incorrect ACLs for event logs

Rule Version

2.001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Maintain the permissions on the event logs. Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement.

Navigate to the log file location. The default location is the "%SystemRoot%\System32\winevt\Logs" directory.
For each log file below, right click the file and select "Properties".
Select the "Security" tab.
Select the "Advanced" button.

Log Files:
Application.evtx
Security.evtx
System.evtx

Permissions:
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the organization has an "Auditors" group from previous requirements, this group may be assigned Full Control.

If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".

Check Contents

Verify the permissions on the event logs. Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement.

Navigate to the log file location. The default location is the "%SystemRoot%\System32\winevt\Logs" directory.
For each log file below, right click the file and select "Properties".
Select the "Security" tab.
Select the "Advanced" button.

Log Files:
Application.evtx
Security.evtx
System.evtx

Permissions:
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the permissions for the file are not as restrictive as those listed, this is a finding.

If the organization has an "Auditors" group from previous requirements, the assignment of Full Control permissions to this group would not be a finding.

Vulnerability Number

V-1077

Documentable

False

Rule Version

2.001

Severity Override Guidance

Verify the permissions on the event logs. Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement.

Navigate to the log file location. The default location is the "%SystemRoot%\System32\winevt\Logs" directory.
For each log file below, right click the file and select "Properties".
Select the "Security" tab.
Select the "Advanced" button.

Log Files:
Application.evtx
Security.evtx
System.evtx

Permissions:
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the permissions for the file are not as restrictive as those listed, this is a finding.

If the organization has an "Auditors" group from previous requirements, the assignment of Full Control permissions to this group would not be a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1823

Comments