Chapter 6. Remote Security Log Collection in a Least Privilege Environment
Information in this chapter:
▪ Log Fetcher Architecture
▪ Accessing WMI
▪ Show Me the Code!
Products, Tools, and Methods
▪ AD
▪ MS SQL Server
▪ Distributed Component Object Model (DCOM)
▪ Windows Management Instrumentation (WMI)
▪ Event Logs
▪ Service Users
▪ Visual Studio (C#)
This chapter focuses on using a low privileged service user to harvest Windows event log data and to warehouse it in a SQL database. This is done with the minimum of permissions over an encrypted Distributed Component Object Model (DCOM) call via Windows Management Instrumentation (WMI), using Security Descriptor Definition Language (SDDL) for individual event log permissions. It includes a fully functional ...

Get Thor's Microsoft Security Bible now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.