thetechgy
commented
3 years ago Where are you seeing that it should be REG_SZ? While it's for Server 2008, this seems to indicate that REG_DWORD is correct
Closed dloughland87 closed 3 years ago
thetechgy
commented
3 years ago Where are you seeing that it should be REG_SZ? While it's for Server 2008, this seems to indicate that REG_DWORD is correct
dloughland87
commented
3 years ago That's for the MaxSize which is correct, however I'm talking about retention.
thetechgy
commented
3 years ago That's for the MaxSize which is correct, however I'm talking about retention.
Ah, okay. I applied finding_list_0x6d69636b_machine.csv and finding_list_0x6d69636b_user.csv recently and just looked through those and only see it referencing MaxSize and no mention of Retention. I checked a few DoD lists in master and didn't see it mentioning Retention either. Where are you seeing it set Retention values?
dloughland87
commented
3 years ago Really appreciate the prompt responses - legend!
I mainly use the CIS lists. Specifically, I was using this one when I noticed -finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv
ID's: 18.9.26.1.1 18.9.26.2.1 18.9.26.3.1 18.9.26.4.1
thetechgy
commented
3 years ago Good call - I just applied that list to a fresh VM not joined to a domain and verified that I also see it creating the Retention item as REG_DWORD rather than REG_SZ @0x6d69636b
0x6d69636b
commented
3 years ago @thetechgy: Thank you for helping! :)
@dloughland87: You're right. However, I find it strange that Microsoft requires REG_SZ for a key that can be 0 or 1. Well, I added an exception for retention and in the future the key will be created correctly (Commit https://github.com/scipag/HardeningKitty/commit/72462bb61830d45f8914a73e94a9e1292ea60fb7)
dloughland87
commented
3 years ago Thank you @0x6d69636b and @thetechgy, the latest works a treat.
Yes, agreed, very odd. I'll add it to my list of mysteries by Microsoft.
The Retention registry setting in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security", "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application". "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup", and "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" needs to be REG_SZ. The script creates these as REG_DWORD which do configure the setting correctly.
Not sure if there are other examples here, but I only noticed then when Windows alerted me to the fact that the security log was full, however I knew we enforced the retention setting to prevent this.