Navigate

Check: WN11-AU-000585

Microsoft Windows 11 STIG: WN11-AU-000585 (in versions v2 r2 through v1 r6)

Title

Windows 11 must have command line process auditing events enabled for failures. (Cat II impact)

Discussion

When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.

Check Content

Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policy >> Detailed Tracking >> Audit Process Creation. If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text

Go to Computer Configuration >> Windows Settings >>Security Settings>> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Set "Audit Process Creation" to "Failure".

Additional Identifiers

Rule ID: SV-257770r958412_rule

Vulnerability ID: V-257770

Group Title: SRG-OS-000037-GPOS-00015

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002234	Log the execution of privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-6(9)	Auditing Use of Privileged Functions