← Back to Microsoft Windows 10 Security Technical Implementation Guide

V-257589

CAT II (Medium)

Windows 10 must have command line process auditing events enabled for failures.

Rule ID

SV-257589r953811_rule

STIG

Microsoft Windows 10 Security Technical Implementation Guide

Version

V2R9

CCIs

CCI-002234

Discussion

When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.

Check Content

Ensure Audit Process Creation auditing has been enabled: 

Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation". 

If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text

Go to Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation is set to "failure".