InformationThis policy setting determines which users or processes can generate audit records in the Security log.
The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE.
Note: This user right is considered a 'sensitive privilege' for the purposes of auditing.
Note #2: A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right.
Note #3: A Member Server that holds the Active Directory Federation Services Role will require a special exception to this recommendation, to allow the NT SERVICE\ADFSSrv and NT SERVICE\DRS services, as well as the associated Active Directory Federation Services service account, to be granted this user right.
An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.
On most computers, this is the default configuration and there will be no negative impact. However, if you have installed the Web Server (IIS) Role with Web Services Role Service, you will need to allow the IIS application pool(s) to be granted this user right.
SolutionTo establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK SERVICE:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits
LOCAL SERVICE, NETWORK SERVICE.
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205759
Rule ID: SV-205759r569188_rule
STIG ID: WN19-UR-000120
Severity: CAT II
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY
References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-2, 800-53|AU-7, 800-53|AU-9(4), 800-53|AU-12, CSCv7|6.2
Control ID: f5a44dba0d6569f85583e3ccb29bbd4beef3a8b0b8d1a86c65562784b0362b3a