Detections
Analytics
WN25-UR-000170 - The Windows Server 2025 'Manage auditing and security log' user right must only be assigned to the Administrators group.
Information
Inappropriately granting user rights provides system, administrative, and other high-level capabilities.Accounts with the 'Manage auditing and security log' user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000337-GPOS-00129
Solution
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Manage auditing and security log to include only the following accounts or groups:- Administrators.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2025_V1R1_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows Server 2025 STIG v1r1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-9, 800-53|AU-12(3), 800-53|AU-12b., CAT|II, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, CCI|CCI-000171, CCI|CCI-001914, Rule-ID|SV-278257r1182225_rule, STIG-ID|WN25-UR-000170, Vuln-ID|V-278257
Plugin: Windows
Control ID: d173b3af05b3fa28d642113611203bb6de26e9c737dce8684e81fc6b7e693b42