CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include:  4649: A replay attack was detected.  4778: A session was reconnected to a Window Station.  4779: A session was disconnected from a Window Station.  4800: The workstation was locked.  4801: The workstation was unlocked.  4802: The screen saver was invoked.  4803: The screen saver was dismissed.  5378: The requested credentials delegation was disallowed by policy.  5632: A request was made to authenticate to a wireless network.  5633: A request was made to authenticate to a wired network.

The recommended state for this setting is: Success and Failure .

Rationale:

Auditing these events may be useful when investigating a security incident.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

Remediation:

To establish the recommended configuration via GP, set the following UI path to Success and Failure :

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Other Logon/Logoff Events

458 | P a g e