Q: How can I control who has access to a system’s Security event log? Does Microsoft provide a way to give a user (e.g., a member of our Help desk team) access to a system’s Security event log? I want to avoid giving all the users that require Security event log access an administrator-level account.
A: Microsoft included a mechanism to control Security event log access in Windows Server 2003 without giving users administrator-level access. This mechanism leverages a Reg_SZ value called CustomSD that must be added to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security registry location. The CustomSD value contains a security descriptor that controls who gets what level of access (i.e., read, write, or clear access) to the Security event log. The security descriptor in CustomSD must be specified in the Security Descriptor Definition Language (SDDL) format. SDDL is a special (and complex) language that describes object permissions. The following is an example of an SDDL string that you can embed in CustomSD:
O:BAG:SYD:(D;; 0xf0007;;;AN) <br> (A;; 0x7;;;SO)(A;; 0x3;;;IU)
This string denies anonymous users read, write, and clear access to the Security event log (D;; 0xf0007;;;AN); grants server operators read, write, and clear access (A;; 0x7;;;SO); and grants interactive users read and write access (A;; 0x3;;;IU). For a complete description of the SDDL syntax, see the Microsoft article “Security Descriptor Definition Language” at http://go.microsoft.com/fwlink/?LinkId=100970.
To centrally enforce the customer security descriptor contained in CustomSD on Windows 2003 machines that are part of a Windows Active Directory (AD) domain environment, you can use Group Policy Object (GPO) settings. To find out how to leverage GPO settings for this purpose, go to http://support.microsoft.com/kb/323076.
If you edit CustomSD, its new value will take effect only after a system restart. CustomSD is available only in Windows 2003. You can also use CustomSD to fine-tune access to any of the other Windows event logs (e.g., Application, System).