Detections
Analytics

5.30 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log.

The recommended state for this setting is: Disabled

In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally.

Solution

To establish the recommended configuration, run the following PowerShell command:

Set-Service -Name Wecsvc -StartupType Disabled

Impact:

If this service is stopped or disabled event subscriptions cannot be created and forwarded events cannot be accepted.

Note: Many remote management tools and third-party security audit tools depend on this service.

See Also

https://workbench.cisecurity.org/benchmarks/22007

Item Details

References: CSCv7|9.2

Plugin: Windows

Control ID: 4dcea661538ddc5dbbd1b920b3334afdd3fc0f1beb4f0ad1a34b9a156c08b291