Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Set ACL on Application and Security logs

from [David LeBlanc] Network Security [Permanent Link]
Subject: RE: Set ACL on Application and Security logs
Date: Mon, 30 May 2005 10:00:12 -0700 
Last time I checked this, which was admittedly a while ago, that setting
only restricted guest access, and an authenticated user could read the logs.

In Win2k3, there is a real, configurable ACL on the event logs - for
example, if you look here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

There will be a CustomSD value with an SDDL string in it. You can use this
to create a settable ACL on any event log. One handy use is that if you have
a process that needs to read the security log, you can just grant them
access instead of making them admin. The read permissions on the system and
application logs are also tightened from XP and earlier, AFAIK. 


-----Original Message-----
From: Kern, Tom [mailto:tkern@CHARMER.COM] 
Sent: Monday, May 16, 2005 1:29 PM
To: Z E
Cc: focus-ms@securityfocus.com
Subject: RE: Set ACL on Application and Security logs

The name is misleading but thats what it applies to If you 
set the "RestrictGuestAccess" to "1", it will only allow 
members of the local administrators group to read the log you 
specified in  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
 <log name>. Where <log name> is application or system.

Also you can configure it in a GPO in Computer 
Configuration\Windows Settings\Security Settings\Event Log.



-----Original Message-----
From: Z E [mailto:z.emailaccount@gmail.com]
Sent: Monday, May 16, 2005 12:06 PM
To: Kern, Tom
Cc: focus-ms@securityfocus.com
Subject: Re: Set ACL on Application and Security logs


My apologies for neglecting to mention that I'm using W2k Pro. 


You can do it in win2k its fairly easy with a gpo or manually adding

a value to this reg key-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
"name of eventlog" and create a dword value of 1.

I found the "RestrictGuestAccess" DWORD value - but that 
doesn't help since I am dealing with authenticated domain 
users. Is there another one?

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Scripted IPSec policies on Windows XP (without AD/GPOs), Jonathan Glass
Previous by Thread:  RE: Set ACL on Application and Security logs, Kern, Tom
Next by Thread:  SecurityFocus Microsoft Newsletter #241, Marc Fossi
Indexes:  [Date] [Thread] [Top] [All Lists]