Smallvoid.com
  • Home
  • About
  • Articles
  • Links
  • Forum

Restrict guest access to event logs

October 12, 2002 by Snakefoot | 2 Comment

Guests are by default allowed to access the Event Logs of a machine(Even over the network). The are 3 event logs on a machine Application-, Security- and System-EventLog.

To block guest access to the EventLogs set the following DWORD keys (Blocked by default on Windows XP/2003):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \EventLog \Application]
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \EventLog \System]
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \EventLog \Security]
RestrictGuestAccess = 1 (0 = Enable Guest Access, 1 = Disable Guest Access)

More info MS KB174074
More info MS KB842209
More info MS KB888189

If in a domain then the access to the eventlogs can be configured through the group policy editor. The policies can be found at Computer Configuration -> Windows Settings > Security Settings -> Event Log:
  • "Prevent local guests group from accessing system log" (WinXP/Win2k3) / "Restrict guest access to system log" (Win2k)
  • "Prevent local guests group from accessing application log" (WinXP/Win2k3) / "Restrict guest access to application log" (Win2k)
It is also possible to control the access to the event logs by using NTFS permissions and control who have access to the folder or the event log files:

%systemroot%\system32\config

Windows 2003 introduces a new way of controlling the access to the event logs, by using Security Descriptor Definition Language (SDDL) syntax. Where one can specify a SID along with the allowed access. More info MS KB323076

Note that if a service is configured to run with guest credentials, then it will not be allowed to access the EventLogs.

Note it might be possible for other accounts than the guest account to access the Event Logs if the following Multi-String (Regedt32) exists:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \SecurePipeServers \Winreg \Allowed Paths]
Machine = "System\CurrentControlSet\Services\Eventlog"

More info MS KB245128
More info MS KB268559

Tags:
  • event-log, guest-account, user-account
Category:
  • User Security,
  • User Security,
  • User Security,
  • User Security

Comments:

  1. C says:
    9 May 2006 at 12:52

    how do i restrict Read-Write (or Read for that matter) access to audit logs?

    Reply
  2. snakefoot says:
    9 May 2006 at 13:57

    C
    how do i restrict Read-Write (or Read for that matter) access to audit logs?

    The RestrictGuestAccess will block access for guest accounts. It is possible to use Group Policies (gpedit.msc) to block access to the Event Viewer-snapin for certain users, though it will block access to view all logs.

    User Configuration / Administrative Templates / Windows Components / Microsoft Management Console / Restricted Permitted snap-ins / Event Viewer.

    Another solution could be to use NTFS permissions to decide who should be allowed access to view the security/audit log.

    What version of Windows are you using ?

    More Info How to set event log security locally or by using Group Policy in Windows Server 2003 (Q323076)

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Posts

  • Restrict access for NULL sessions
  • Configure Automatic Logon in Windows NT
  • Moving the userprofile to a different location
  • Using NULL sessions to view shares and user accounts
  • Securing the local Administrator account

Recent Posts

  • Disable IPv6 imaginary tunnel network interfaces
  • Encrypted backup to OneDrive or DropBox
  • Description of soft and hard page faults
  • Windows 10 Upgrade with black screen
  • Wordpress 4.2 Upgrade

Meta

  • Log in
  • Entries feed
  • Comments feed