Details
This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log.
The recommended state for this setting is: Disabled.
Rationale:
In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally.
Impact:
If this service is stopped or disabled event subscriptions cannot be created and forwarded events cannot be accepted.
Note: Many remote management tools and third-party security audit tools depend on this service.
Solution
To establish the recommended configuration via GP, set the following UI path to: Disabled.
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsSystem ServicesWindows Event Collector
Default Value:
Manual
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.