Chapter 6. Remote Security Log Collection in a Least Privilege Environment

Information in this chapter:

▪ Log Fetcher Architecture

▪ Accessing WMI

▪ Show Me the Code!

Products, Tools, and Methods

▪ AD

▪ MS SQL Server

▪ Distributed Component Object Model (DCOM)

▪ Windows Management Instrumentation (WMI)

▪ Event Logs

▪ Service Users

▪ Visual Studio (C#)

This chapter focuses on using a low privileged service user to harvest Windows event log data and to warehouse it in a SQL database. This is done with the minimum of permissions over an encrypted Distributed Component Object Model (DCOM) call via Windows Management Instrumentation (WMI), using Security Descriptor Definition Language (SDDL) for individual event log permissions. It includes a fully functional ...

Get Thor's Microsoft Security Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Thor's Microsoft Security Bible by Timothy Thor Mullen

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly