Solved

Cannot disable read access the Windows 7 security log

Posted on 2016-08-12
6
71 Views
Last Modified: 2016-08-16
So we have some Windows 7 systems with some security requirements. I am trying to disable read access the security log. The command “wevtutil gl security” shows a result of the following:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


From what little I know of these things, I am thinking that the “(A;;0x3;;;IU)” is giving interactive users read and write of the log (they cannot clear it)

What puzzles me is that the command

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


shows immediate results on our normal windows 7 PC’s, but it does NOTHING on the machines in question. The command runs, gives no error, but “wevtutil gl security” still shows the “(A;;0x3;;;IU)” in the channelAccess string.

What am I doing wrong?
0
Comment
Question by:mtz987
  • 2
  • 2
  • 2
6 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 41753982
By default, without any action, users cannot read the security protocol. Only admins allowed in there, so no need for action since you'll not be able to limit admins in any way.
0
 

Author Comment

by:mtz987
ID: 41754121
McKnife,
Somehow the default was lost and cannot set it not allow limited rights users to view it.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 41754268
You can make the security changes you need with group policy (which might be how they were changed in the first place), but it may take a few modifications to some system files for the settings you need to be visible. The file you'll want to modify is SCEREGVL.INF, which is what defines the settings available in the Security Options section of a GPO. https://support.microsoft.com/en-us/kb/323076 describes how to add the options necessary to modify the Event Log security in group policy. If you only want to handle this on a single computer, you can just make the registry modifications at the top of the article. Otherwise, follow the instructions for Group Policy.

That article is written for Windows 2003, but the file exists in later versions of windows server and does the same thing. The only difference is that later versions have more security on that file, which requires you to take ownership, grant permissions, modify it, then restore the permissions to normal. https://support.microsoft.com/en-us/kb/947721 has instructions for accomplishing this.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 54

Expert Comment

by:McKnife
ID: 41754762
First, one will have to look at the group "event log readers" look at its members. By default, it's empty.
0
 

Author Comment

by:mtz987
ID: 41757866
Some of the PC’s are not in a domain, and the local gpo does not show those settings.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41758071
Modifying sceregvl.inf will allow those settings to appear. Alternatively, there are some registry modifications you can make on the systems themselves that will allow you to change the security settings. The link I gave has instructions in it as well.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ticket bloat 3 31
Domain Controller FSMO 7 39
PCI Compliance - mixing SAQs 6 31
Unable to print after system state restore 32 21
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question