This policy item is used to check the audit properties (Properties –> Security –> Advanced –> Auditing) of a file or folder using the specified ACL. This check is performed by calling the function GetSecurityInfo with level SACL_SECURITY_INFORMATION on the file handle.

Note: This check requires remote registry access for the remote Windows system to function properly.




description: ["description"]

value_type: [value_type]

value_data: [value]

(optional) check_type: [value]

file: ["filename"]

(optional) acl_option: [acl_option]


The allowed type is:

value_type: FILE_ACL

value_data: "ACLname"

file: "PATH\Filename"

The following predefined paths can be used in the file/folder name:








When using this audit, please note the following:

  • The file field must include the full path to the file or folder name (e.g., C:\WINDOWS\SYSTEM32) or make use of the above path keywords. If using path keywords, the remote registry must be enabled to allow Nessus to determine the path variable values.
  • The value_data field is the name of the ACL defined in the policy file.
  • The acl_option field can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the file does not exist.
  • The acl_allow and acl_deny fields correspond to “Successful” and “Failed” audit events.


<check_type: "Windows" version:"2">

<group_policy: "Audits SYSTEM32 directory for correct auditing permissions">


<file_acl: "ACL1">

<user: "Everyone">

acl_inheritance: "not inherited"

acl_apply: "This folder, subfolders and files"

acl_deny: "full control"

acl_allow: "full control"






description: "Audit for C:\WINDOWS\SYSTEM32"

value_type: FILE_ACL

value_data: "ACL1"

file: "%SystemRoot%\SYSTEM32"