Try to prohibit creating and deleting files in the directory: C:\Windows\System32\Tasks
Check also permissions for:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
Although in my opinion the folder is enough.
Original Message:
Sent: 03-24-2020 05:43 AM
From: Michael Lin
Subject: IPS policy for protect schedule tasks on Windows servers
Hi~I'm rookie here. We want to create a IPS policy to monitor and prevent the schedule tasks from been adding ,modifying ,deleting.
Is anyone willing to share the experience ?
------------------------------
Rookie of Security
------------------------------