CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This subcategory reports changes in authorization policy. Events for this subcategory include:

4704: A user right was assigned. 4705: A user right was removed.





 4706: A new trust was created to a domain.  4707: A trust to a domain was removed.  4714: Encrypted data recovery policy was changed.

The recommended state for this setting is to include: Success .

Rationale:

Auditing these events may be useful when investigating a security incident.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

Remediation:

To establish the recommended configuration via GP, set the following UI path to include Success :

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change

478 | P a g e