CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This subcategory reports changes in authentication policy. Events for this subcategory include:

 4706: A new trust was created to a domain.  4707: A trust to a domain was removed.  4713: Kerberos policy was changed.  4716: Trusted domain information was modified.  4717: System security access was granted to an account.  4718: System security access was removed from an account.  4739: Domain Policy was changed.  4864: A namespace collision was detected.  4865: A trusted forest information entry was added.  4866: A trusted forest information entry was removed.  4867: A trusted forest information entry was modified.

The recommended state for this setting is to include: Success .

Rationale:

Auditing these events may be useful when investigating a security incident.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

Remediation:

To establish the recommended configuration via GP, set the following UI path to include Success :

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change

475 | P a g e