18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'

[pillarsdotnet]

18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'

Info

This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: 'Disabled'. Rationale: When this policy setting is enabled, any user who has read access to the security events can read the command line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled': Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'AuditSettings.admx/adml' that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Impact: None - this is the default behavior.