Restrict guest access to event logs

Guests are by default allowed to access the Event Logs of a machine(Even over the network). The are 3 event logs on a machine Application-, Security- and System-EventLog.

To block guest access to the EventLogs set the following DWORD keys (Blocked by default on Windows XP/2003):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \EventLog \Application]
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \EventLog \System]
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \EventLog \Security]
RestrictGuestAccess = 1 (0 = Enable Guest Access, 1 = Disable Guest Access)

More info MS KB174074
More info MS KB842209
More info MS KB888189

If in a domain then the access to the eventlogs can be configured through the group policy editor. The policies can be found at Computer Configuration -> Windows Settings > Security Settings -> Event Log:

• “Prevent local guests group from accessing system log” (WinXP/Win2k3) / “Restrict guest access to system log” (Win2k)
• “Prevent local guests group from accessing application log” (WinXP/Win2k3) / “Restrict guest access to application log” (Win2k)

It is also possible to control the access to the event logs by using NTFS permissions and control who have access to the folder or the event log files:

%systemroot%\system32\config

Windows 2003 introduces a new way of controlling the access to the event logs, by using Security Descriptor Definition Language (SDDL) syntax. Where one can specify a SID along with the allowed access. More info MS KB323076

Note that if a service is configured to run with guest credentials, then it will not be allowed to access the EventLogs.

Note it might be possible for other accounts than the guest account to access the Event Logs if the following Multi-String (Regedt32) exists:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \SecurePipeServers \Winreg \Allowed Paths]
Machine = “System\CurrentControlSet\Services\Eventlog”

More info MS KB245128
More info MS KB268559