Cannot disable read access the Windows 7 security log

mtz987
mtz987 used Ask the Experts™
on
So we have some Windows 7 systems with some security requirements. I am trying to disable read access the security log. The command “wevtutil gl security” shows a result of the following:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


From what little I know of these things, I am thinking that the “(A;;0x3;;;IU)” is giving interactive users read and write of the log (they cannot clear it)

What puzzles me is that the command

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


shows immediate results on our normal windows 7 PC’s, but it does NOTHING on the machines in question. The command runs, gives no error, but “wevtutil gl security” still shows the “(A;;0x3;;;IU)” in the channelAccess string.

What am I doing wrong?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
By default, without any action, users cannot read the security protocol. Only admins allowed in there, so no need for action since you'll not be able to limit admins in any way.

Author

Commented:
McKnife,
Somehow the default was lost and cannot set it not allow limited rights users to view it.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
You can make the security changes you need with group policy (which might be how they were changed in the first place), but it may take a few modifications to some system files for the settings you need to be visible. The file you'll want to modify is SCEREGVL.INF, which is what defines the settings available in the Security Options section of a GPO. https://support.microsoft.com/en-us/kb/323076 describes how to add the options necessary to modify the Event Log security in group policy. If you only want to handle this on a single computer, you can just make the registry modifications at the top of the article. Otherwise, follow the instructions for Group Policy.

That article is written for Windows 2003, but the file exists in later versions of windows server and does the same thing. The only difference is that later versions have more security on that file, which requires you to take ownership, grant permissions, modify it, then restore the permissions to normal. https://support.microsoft.com/en-us/kb/947721 has instructions for accomplishing this.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Distinguished Expert 2018

Commented:
First, one will have to look at the group "event log readers" look at its members. By default, it's empty.

Author

Commented:
Some of the PC’s are not in a domain, and the local gpo does not show those settings.
Senior Systems Admin
Top Expert 2010
Commented:
Modifying sceregvl.inf will allow those settings to appear. Alternatively, there are some registry modifications you can make on the systems themselves that will allow you to change the security settings. The link I gave has instructions in it as well.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial