A question I get asked frequently: what are the default ACLs on Windows event logs?
Here's the answer, straight from the source code with only a little formatting help from me, and in more detail than you probably care to know.
Windows 2000:
Application Event Log and custom event logs ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow Server Operators Write Allow Everyone Write * only if RestrictGuestAccess is set for this log System Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write * only if RestrictGuestAccess is set for this log Security Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear * only if RestrictGuestAccess is set for this log Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log"). Holders of the privilege have Read, Clear, and Backup permission. Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only. LocalSystem can write to the security event log via the ReportEvent API due to permission granted via the log ACL. By default, these are the privilege assignments: SeSecurityPrivilege Administrators, LocalSystemSeAuditPrivilege LocalSystem Windows XP with Service Pack 2:
Application Event Log and custom event logs ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow Server Operators Write Allow Everyone Write * only if RestrictGuestAccess is set for this log System Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write * only if RestrictGuestAccess is set for this log Security Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear * only if RestrictGuestAccess is set for this log Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log"). Holders of the privilege have Read, Clear, and Backup permission. Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only. LocalSystem can write to the security event log via the ReportEvent API due to permission granted via the log ACL. By default, these are the privilege assignments: SeSecurityPrivilege Administrators, LocalSystemSeAuditPrivilege LocalSystem
Application Event Log and custom event logs
ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow Server Operators Write Allow Everyone Write
* only if RestrictGuestAccess is set for this log
System Event Log
ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write
Security Event Log
ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear
Allow LocalSystem Full Control Allow Administrators Read, Clear
Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log"). Holders of the privilege have Read, Clear, and Backup permission. Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only. LocalSystem can write to the security event log via the ReportEvent API due to permission granted via the log ACL.
By default, these are the privilege assignments:
SeSecurityPrivilege Administrators, LocalSystemSeAuditPrivilege LocalSystem
Application Event Log and custom event logs ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow LocalService Write Allow NetworkService Write Allow Server Operators Write Allow Everyone Write * only if RestrictGuestAccess is set for this log System Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow LocalService Write Allow NetworkService Write * only if RestrictGuestAccess is set for this log Security Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear * only if RestrictGuestAccess is set for this log Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log"). Holders of the privilege have Read, Clear, and Backup permission. Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only. LocalSystem can not write to the security event log via the ReportEvent API regardless of permission. By default, these are the privilege assignments: SeSecurityPrivilege Administrators, LocalSystemSeAuditPrivilege LocalService, NetworkService, LocalSystem
ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow LocalService Write Allow NetworkService Write Allow Server Operators Write Allow Everyone Write
ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear Allow Backup Operators Backup Allow Server Operators Read, Clear Allow Everyone Read Allow Administrators Write Allow LocalService Write Allow NetworkService Write
* only if RestrictGuestAccess is set for this log Security Event Log ACE Type Principal Accesses ------------ ------------------ ------------ *Deny Anonymous All Access *Deny Guests All Access Allow LocalSystem Full Control Allow Administrators Read, Clear * only if RestrictGuestAccess is set for this log Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log"). Holders of the privilege have Read, Clear, and Backup permission. Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only. LocalSystem can not write to the security event log via the ReportEvent API regardless of permission. By default, these are the privilege assignments: SeSecurityPrivilege Administrators, LocalSystemSeAuditPrivilege LocalService, NetworkService, LocalSystem
Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log"). Holders of the privilege have Read, Clear, and Backup permission. Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only. LocalSystem can not write to the security event log via the ReportEvent API regardless of permission.
SeSecurityPrivilege Administrators, LocalSystemSeAuditPrivilege LocalService, NetworkService, LocalSystem
Windows Server 2003:
Windows Server 2003 introduced configurable event log ACLs via the CustomSD registry value. Here are the defaults, including the equivalent SDDL: Application Event Log and custom event logs O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write,Clear (A;;0x7;;;SO) // Server Operators:Read,Write,Clear (A;;0x3;;;IU) // INTERACTIVE LOGON:Read,Write (A;;0x3;;;SU) // SERVICES LOGON:Read,Write (A;;0x3;;;S-1-5-3) // BATCH LOGON:Read,Write * only if RestrictGuestAccess is set for this log System Event Log O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write,Clear (A;;0x5;;;SO) // Server Operators:Read,Clear (A;;0x1;;;IU) // INTERACTIVE LOGON:Read (A;;0x1;;;SU) // SERVICES LOGON:Read (A;;0x1;;;S-1-5-3) // BATCH LOGON:Read (A;;0x2;;;LS) // LocalService:Write (A;;0x2;;;NS) // NetworkService:Write * only if RestrictGuestAccess is set for this log Security Event Log O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write**,Clear As with Windows XP and Windows 2000, privilege also allows access to the security log. SeSecurityPrivilege allows Read and Clear access to the security event log. * only if RestrictGuestAccess is set for this log** Regardless of permissions in the security event log ACL, SeAuditPrivilege is required to write to the security event log, and all writes can only occur via audit APIs (e.g. AuthzReportSecurityEvent), not through event log APIs (e.g. ReportEvent). Starting with Windows Vista, you can actually enumerate the ACL on any log with the WEVTUTIL.EXE utility (running in an Administrator command prompt). As always, posession of SeAuditPrivilege allows write to the security event log regardless of ACL, and posession of SeSecurityPrivilege allows read and clear of the security event log regardless of ACL. Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, and beyond: C:\Windows\system32>wevtutil gl securityname: securityenabled: truetype: AdminowningPublisher:isolation: CustomchannelAccess: O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 786432000publishing: fileMax: 1 UPDATE 2006-03-07 - Added hyperlink to SDDL description UPDATE 2011-05-24 - Added information for post-WS03 releases
Windows Server 2003 introduced configurable event log ACLs via the CustomSD registry value.
Here are the defaults, including the equivalent SDDL:
O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write,Clear (A;;0x7;;;SO) // Server Operators:Read,Write,Clear (A;;0x3;;;IU) // INTERACTIVE LOGON:Read,Write (A;;0x3;;;SU) // SERVICES LOGON:Read,Write (A;;0x3;;;S-1-5-3) // BATCH LOGON:Read,Write
O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write,Clear (A;;0x5;;;SO) // Server Operators:Read,Clear (A;;0x1;;;IU) // INTERACTIVE LOGON:Read (A;;0x1;;;SU) // SERVICES LOGON:Read (A;;0x1;;;S-1-5-3) // BATCH LOGON:Read (A;;0x2;;;LS) // LocalService:Write (A;;0x2;;;NS) // NetworkService:Write * only if RestrictGuestAccess is set for this log
O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write**,Clear
As with Windows XP and Windows 2000, privilege also allows access to the security log. SeSecurityPrivilege allows Read and Clear access to the security event log.
* only if RestrictGuestAccess is set for this log** Regardless of permissions in the security event log ACL, SeAuditPrivilege is required to write to the security event log, and all writes can only occur via audit APIs (e.g. AuthzReportSecurityEvent), not through event log APIs (e.g. ReportEvent).
Starting with Windows Vista, you can actually enumerate the ACL on any log with the WEVTUTIL.EXE utility (running in an Administrator command prompt). As always, posession of SeAuditPrivilege allows write to the security event log regardless of ACL, and posession of SeSecurityPrivilege allows read and clear of the security event log regardless of ACL.
C:\Windows\system32>wevtutil gl securityname: securityenabled: truetype: AdminowningPublisher:isolation: CustomchannelAccess: O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 786432000publishing: fileMax: 1
UPDATE 2006-03-07 - Added hyperlink to SDDL description
UPDATE 2011-05-24 - Added information for post-WS03 releases
What about windows 2008?
Hi Fred,
Updated.