Solved

Cannot disable read access the Windows 7 security log

Posted on 2016-08-12
6
73 Views
Last Modified: 2016-08-16
So we have some Windows 7 systems with some security requirements. I am trying to disable read access the security log. The command “wevtutil gl security” shows a result of the following:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


From what little I know of these things, I am thinking that the “(A;;0x3;;;IU)” is giving interactive users read and write of the log (they cannot clear it)

What puzzles me is that the command

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


shows immediate results on our normal windows 7 PC’s, but it does NOTHING on the machines in question. The command runs, gives no error, but “wevtutil gl security” still shows the “(A;;0x3;;;IU)” in the channelAccess string.

What am I doing wrong?
0
Comment
Question by:mtz987
  • 2
  • 2
  • 2
6 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 41753982
By default, without any action, users cannot read the security protocol. Only admins allowed in there, so no need for action since you'll not be able to limit admins in any way.
0
 

Author Comment

by:mtz987
ID: 41754121
McKnife,
Somehow the default was lost and cannot set it not allow limited rights users to view it.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 41754268
You can make the security changes you need with group policy (which might be how they were changed in the first place), but it may take a few modifications to some system files for the settings you need to be visible. The file you'll want to modify is SCEREGVL.INF, which is what defines the settings available in the Security Options section of a GPO. https://support.microsoft.com/en-us/kb/323076 describes how to add the options necessary to modify the Event Log security in group policy. If you only want to handle this on a single computer, you can just make the registry modifications at the top of the article. Otherwise, follow the instructions for Group Policy.

That article is written for Windows 2003, but the file exists in later versions of windows server and does the same thing. The only difference is that later versions have more security on that file, which requires you to take ownership, grant permissions, modify it, then restore the permissions to normal. https://support.microsoft.com/en-us/kb/947721 has instructions for accomplishing this.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 54

Expert Comment

by:McKnife
ID: 41754762
First, one will have to look at the group "event log readers" look at its members. By default, it's empty.
0
 

Author Comment

by:mtz987
ID: 41757866
Some of the PC’s are not in a domain, and the local gpo does not show those settings.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41758071
Modifying sceregvl.inf will allow those settings to appear. Alternatively, there are some registry modifications you can make on the systems themselves that will allow you to change the security settings. The link I gave has instructions in it as well.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question