8.8. Restricting Access to an Event Log

Problem

You want to restrict who can view the event logs on a server.

Solution

The default behavior on Windows 2000 is that anyone can view the event logs (including the Guest account and users connecting with null connections). To restrict this, you need to create the following Registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ <LogName> \RestrictGuestAccess, where <LogName> is the name of the event log (e.g., Application) you want to restrict. The value should be of type REG_DWORD with the value data set to 1. This limits access to members of the local Administrators group. You can also configure this in group policy. There are three settings that correspond to restricting access to the application, system, and security logs. These settings can be found under Computer Configuration\Windows Settings\Security Settings\Event Log\.

With Windows Server 2003, the way event logs are restricted has changed. The RestrictGuestAccess registry value is no longer used. It has been replaced with a CustomSD value (in the same registry location) that contains a Security Descriptor string (SDDL) that determines what users have access to the event logs. Unfortunately, at the time of this writing, Microsoft has not provided a graphical interface or even a command-line interface for abstracting away the messy details of SDDL. That means if you want to restrict access, you need to learn a little something about SDDL. For a good description ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.