RE: Set ACL on Application and Security logs

From: David LeBlanc (dleblanc_at_mindspring.com)
Date: 05/30/05


To: "'Kern, Tom'" <tkern@CHARMER.COM>, "'Z E'" <z.emailaccount@gmail.com>
Date: Mon, 30 May 2005 10:00:12 -0700

Last time I checked this, which was admittedly a while ago, that setting
only restricted guest access, and an authenticated user could read the logs.

In Win2k3, there is a real, configurable ACL on the event logs - for
example, if you look here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

There will be a CustomSD value with an SDDL string in it. You can use this
to create a settable ACL on any event log. One handy use is that if you have
a process that needs to read the security log, you can just grant them
access instead of making them admin. The read permissions on the system and
application logs are also tightened from XP and earlier, AFAIK.

> -----Original Message-----
> From: Kern, Tom [mailto:tkern@CHARMER.COM]
> Sent: Monday, May 16, 2005 1:29 PM
> To: Z E
> Cc: focus-ms@securityfocus.com
> Subject: RE: Set ACL on Application and Security logs
>
> The name is misleading but thats what it applies to If you
> set the "RestrictGuestAccess" to "1", it will only allow
> members of the local administrators group to read the log you
> specified in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
> <log name>. Where <log name> is application or system.
>
> Also you can configure it in a GPO in Computer
> Configuration\Windows Settings\Security Settings\Event Log.
>
>
>
> -----Original Message-----
> From: Z E [mailto:z.emailaccount@gmail.com]
> Sent: Monday, May 16, 2005 12:06 PM
> To: Kern, Tom
> Cc: focus-ms@securityfocus.com
> Subject: Re: Set ACL on Application and Security logs
>
>
> My apologies for neglecting to mention that I'm using W2k Pro.
>
> >You can do it in win2k its fairly easy with a gpo or manually adding
> a value to this reg key-
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
> "name of eventlog" and create a dword value of 1.
>
> I found the "RestrictGuestAccess" DWORD value - but that
> doesn't help since I am dealing with authenticated domain
> users. Is there another one?
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------