8.8. Restricting Access to an Event Log
You want to restrict who can view the event logs on a server.
The default behavior on Windows 2000 is that anyone can view the
event logs (including the Guest account and users connecting with null
connections). To restrict this, you need to create the following
<LogName> is the name of the event
log (e.g., Application) you want to restrict. The value should be of
type REG_DWORD with the value data set to
1. This limits access to members of the
local Administrators group. You can also configure this in group
policy. There are three settings that correspond to restricting access
to the application, system, and security logs. These settings can be
With Windows Server 2003, the way event logs are restricted has
registry value is no longer used. It has been replaced with a
CustomSD value (in the same registry
location) that contains a Security Descriptor string (SDDL) that determines what users have access to the event logs. Unfortunately, at the time of this writing, Microsoft has not provided a graphical interface or even a command-line interface for abstracting away the messy details of SDDL. That means if you want to restrict access, you need to learn a little something about SDDL. For a good description ...