WinSecWiki

WinSecWiki » Windows Security Settings » Local Policies » User Rights Assignment » User Rights In-Depth » Manage auditing and security log

Manage auditing and security log

Manage auditing and security log

AKA: SeSecurityPrivilege, Manage auditing and security log

Default assignment: Administrators

This right allows you to:

Modify the object level audit policy on files, folders, registry keys, services and any other non Active Directory object. To access the object level audit policy open the object’s Properties window, select the Security tab, click Advanced and select the Auditing tab. This is where you define which permissions are audited for this object and for whom.
View or dump the security log
Clear the security log

This right gives you the above authority regardless of the security log's CustomSD/Channel Access value which is explained below.

Interestingly, use of this right generates event ID 578/4674 for this privilege when you clear the log but not if you clear the log by way of the Clear permission defined in CustomSD/Channel Access. Regardless Windows does log event ID event ID 517/1102 whenever the log is cleared regardless of whether you did it with this privilege or with the Clear permission.

Delegating security log authority using CustomSD/Channel Access

To delegate the ability to view the security log without also giving the user ability to clear the log or modify audit policy, the method varies between Windows Server 2003 and Windows Server 2008.

Windows Server 2003: Use the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD registry value. See http://support.microsoft.com/kb/323076 for more information on this value.
Windows Server 2008: Use the wevtutil command using the sl switch which means "set log". To get get help on this command run "wevtutil sl /?". You'll want to find the bit about the /ca switch which means "channel access". Also check out "wevtutil gl" where gl means "get log".

Here's a link to a great post on how to delegate view access to the security log for both 2003 and 2008: http://www.ravenreport.com/blog/post/Remote-Event-Viewer-Access-Windows-2003--2008.aspx

User Comments

by Django Kalkman added Tuesday, November 03, 2009

Is it possible to delegate the security eventlog of a windows 2008 DC in a windows 2003 domain ?<br />the customsd entry is working on all eventlogs but not on the security eventlog !

Helpful?

Yes

by RandyFranklinSmith... added Tuesday, November 03, 2009

Django, yes - see my revision to this article regarding the wevtutil command

Marked helpful 1 time based on 1 vote.

Helpful?

Yes

Add Your Comments

Name:	*
Email Address:
Web Address:

Verification Code:	*

Details

Article not rated yet.
Article has been viewed 2,601 times.

Options

Bookmark Article
Social Bookmarks

Social Bookmarks
Comments RSS

Comments RSS

Upcoming Webinars

Additional Resources

Home

Windows Security

WinSecWiki

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2010 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.