Cannot disable read access the Windows 7 security log

So we have some Windows 7 systems with some security requirements. I am trying to disable read access the security log. The command “wevtutil gl security” shows a result of the following:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


From what little I know of these things, I am thinking that the “(A;;0x3;;;IU)” is giving interactive users read and write of the log (they cannot clear it)

What puzzles me is that the command

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window


shows immediate results on our normal windows 7 PC’s, but it does NOTHING on the machines in question. The command runs, gives no error, but “wevtutil gl security” still shows the “(A;;0x3;;;IU)” in the channelAccess string.

What am I doing wrong?
mtz987Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
By default, without any action, users cannot read the security protocol. Only admins allowed in there, so no need for action since you'll not be able to limit admins in any way.
0
mtz987Author Commented:
McKnife,
Somehow the default was lost and cannot set it not allow limited rights users to view it.
0
Adam BrownSr Solutions ArchitectCommented:
You can make the security changes you need with group policy (which might be how they were changed in the first place), but it may take a few modifications to some system files for the settings you need to be visible. The file you'll want to modify is SCEREGVL.INF, which is what defines the settings available in the Security Options section of a GPO. https://support.microsoft.com/en-us/kb/323076 describes how to add the options necessary to modify the Event Log security in group policy. If you only want to handle this on a single computer, you can just make the registry modifications at the top of the article. Otherwise, follow the instructions for Group Policy.

That article is written for Windows 2003, but the file exists in later versions of windows server and does the same thing. The only difference is that later versions have more security on that file, which requires you to take ownership, grant permissions, modify it, then restore the permissions to normal. https://support.microsoft.com/en-us/kb/947721 has instructions for accomplishing this.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

McKnifeCommented:
First, one will have to look at the group "event log readers" look at its members. By default, it's empty.
0
mtz987Author Commented:
Some of the PC’s are not in a domain, and the local gpo does not show those settings.
0
Adam BrownSr Solutions ArchitectCommented:
Modifying sceregvl.inf will allow those settings to appear. Alternatively, there are some registry modifications you can make on the systems themselves that will allow you to change the security settings. The link I gave has instructions in it as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.