Recipe 16.8. Restricting Access to an Event Log

Previous page
Table of content
Next page

Problem

You want to restrict who can view the event logs on a system.

Solution

The default behavior on Windows 2000 is that virtually anyone can view the event logs (including the Guest account and users connecting with null connections). To restrict this, you need to create the following Registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<LogName>\RestrictGuestAccess where <LogName> is the name of the event log (e.g., Application) you want to restrict. The value should be of type REG_DWORD with the value data set to 1. This limits access to members of the local Administrators group alone. You can also configure this in Group Policy. There are three settings that correspond to restricting access to the application, system, and security logs. These settings can be found under Computer Configuration\Windows Settings\Security Settings\Event Log\.

With Windows XP, things have changed. The RestrictGuestAccess Registry value is no longer used. It has been replaced with a CustomSD value (in the same Registry location) that contains a Security Descriptor string (SDDL) that determines what users have access to the event logs. Unfortunately, at the time of this writing, Microsoft has not provided a graphical interface or even a command line interface for abstracting away the messy details of SDDL. That means if you want to restrict access, you need to learn a little something about SDDL. For a good description of how you can accomplish this, read MS KB 323076, "HOW TO: Set Event Log Security Locally or by Using Group Policy in Windows Server 2003."

Discussion

If you are security conscious, as all good system administrators should be these days, you should be concerned that event logs (except the Security log) on your systems are world-readable by default. The event logs are a feeding ground of important information for potential attackers. Fortunately, the Security event log is treated differently and not viewable by non-administrators.

Restricting access to the event logs is not as easy as you might hope. In fact, on Windows XP you have to construct a SDDL string to do it, which can be a little complicated. See the following sites for more information:

http://msdn.microsoft.com/library/en-us/debug/base/event_logging_security.asp

http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp

See Also

MS KB 323076, "HOW TO: Set Event Log Security Locally or by Using Group Policy in Windows Server 2003"


Previous page
Table of content
Next page
Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408
Authors: Robbie Allen, Preston Gralla
BUY ON AMAZON
Qshell for iSeries
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Lotus Notes and Domino 6 Development (2nd Edition)
SQL Hacks
Comparing, Designing, and Deploying VPNs
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy