Logon-Logoff: Audit Special LogonID: oval:gov.nist.usgcb.windowsseven:def:178 | Date: (C)2012-04-13 (M)2022-10-10 |
Class: COMPLIANCE | Family: windows |
This policy setting allows you to audit events generated by special logons such as the following :
The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=121697).
Volume: Low.
Default: Success.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon-Logoff\Audit Special Logon events on failure
(2) REG: INFO NOT AVAILABLE
Platform: |
Microsoft Windows 7 |