Title

Registry key auditing configuration does not meet minimum requirements. (Cat II impact)

Discussion

Improper modification of the Registry can render a system useless. Modifications to the Registry can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the Registry provides a method of determining the responsible party.

Check Content

Verify system level auditing of object access is properly configured (see V-6850 “Audit object access”). If this is not configured to audit “Failure”, this requirement is a finding. Verify detailed registry auditing is configured. Run “Regedit”. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select “Edit” then “Permissions”. Click on the “Advanced” button. Select the “Auditing” tab. Verify the following is configured: Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys If the “Everyone” group, at a minimum is not being audited for all failures, this is a finding.

Fix Text

Configure the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys to audit the Everyone Group for all failures. Audit settings should be propagated to subkeys.

Additional Identifiers

Rule ID: SV-29628r2_rule

Vulnerability ID: V-1088

Group Title: Registry Key Auditing

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.