Audit Policy: Logon-Logoff: Special LogonID: oval:org.secpod.oval:def:18880 | Date: (C)2014-05-29 (M)2021-06-02 |
Class: COMPLIANCE | Family: windows |
Auditing of Logon-Logoff: Special Logon events on success should be enabled or disabled as appropriate.
This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. Refer to the Microsoft Knowledgebase article Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226.
Fix:
(1) GPO: Commandline: auditpol.exe
(2) REG: NO INFO
Platform: |
Microsoft Windows Server 2008 R2 |