Recipe8.8.Restricting Access to an Event Log

Previous page
Table of content
Next page

Recipe 8.8. Restricting Access to an Event Log

Problem

You want to restrict who can view the event logs on a server.

Solution

The default behavior on Windows 2000 is that anyone can view the event logs (including the Guest account and users connecting with null connections). To restrict this, you need to create the following Registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<LogName>\RestrictGuestAccess, where <LogName> is the name of the event log (e.g., Application) you want to restrict. The value should be of type REG_DWORD with the value data set to 1. This limits access to members of the local Administrators group. You can also configure this in group policy. There are three settings that correspond to restricting access to the application, system, and security logs. These settings can be found under Computer Configuration\Windows Settings\Security Settings\Event Log\.

With Windows Server 2003, the way event logs are restricted has changed. The RestrictGuestAccess registry value is no longer used. It has been replaced with a CustomSD value (in the same registry location) that contains a Security Descriptor string (SDDL) that determines what users have access to the event logs. Unfortunately, at the time of this writing, Microsoft has not provided a graphical interface or even a command-line interface for abstracting away the messy details of SDDL. That means if you want to restrict access, you need to learn a little something about SDDL. For a good description of how you can accomplish this, read MS KB 323076 (HOW TO: Set Event Log Security Locally or by Using Group Policy in Windows Server 2003).

Discussion

If you are security conscious, as all good system administrators should be these days, you should be concerned that event logs (except the Security log) on your servers are world-readable by default. The event logs on certain types of servers, such as domain controllers, are a feeding ground of important information for potential attackers. Fortunately, the Security event log is treated differently and not viewable by non-administrators.

Restricting access to the event logs is not as easy as you might hope. In fact, on Windows Server 2003 you have to construct a SDDL string to do it, which can be a little complicated. See the following sites for more information:

  • http://msdn.microsoft.com/library/en-us/debug/base/event_logging_security.asp

  • http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp

See Also

MS KB 323076 (HOW TO: Set Event Log Security Locally or by Using Group Policy in Windows Server 2003)


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
Strategies for Information Technology Governance
Systematic Software Testing (Artech House Computer Library)
Cisco Voice Gateways and Gatekeepers
Programming Microsoft ASP.NET 3.5
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy