Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Default ACLs on Windows Event Logs

Default ACLs on Windows Event Logs

  • Comments 4

A question I get asked frequently: what are the default ACLs on Windows event logs?

Here's the answer, straight from the source code with only a little formatting help from me, and in more detail than you probably care to know.

Windows 2000:

Application Event Log and custom event logs

   ACE Type      Principal           Accesses
   ------------  ------------------  ------------
  *D
eny          Anonymous           All Access
  *
Deny          Guests              All Access
   
Allow         LocalSystem         Full Control
   Allow         Administrators      Read, Clear
   Allow         Backup Operators    Backup
   Allow         Server Operators    Read, Clear
   Allow         Everyone            Read
   Allow         Administrators      Write
   Allow         Server Operators    Write
   Allow         Everyone            Write

* only if RestrictGuestAccess is set for this log

System Event Log

   ACE Type      Principal           Accesses
   ------------  ------------------  ------------
  *Deny          Anonymous           All Access
  *
Deny          Guests              All Access
   
Allow         LocalSystem         Full Control
   Allow         Administrators      Read, Clear
   Allow         Backup Operators    Backup
   Allow         Server Operators    Read, Clear
   Allow         Everyone            Read
   Allow         Administrators      Write

* only if RestrictGuestAccess is set for this log

Security Event Log

   ACE Type      Principal           Accesses
   ------------  ------------------  ------------
  *Deny          Anonymous           All Access
  *
Deny          Guests              All Access
   

Allow         LocalSystem         Full Control
   Allow         Administrators      Read, Clear

 

* only if RestrictGuestAccess is set for this log

Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log").  Holders of the privilege have Read, Clear, and Backup permission.  Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only.  LocalSystem can write to the security event log via the ReportEvent API  due to permission granted via the log ACL.

By default, these are the privilege assignments:

SeSecurityPrivilege      Administrators, LocalSystem
SeAuditPrivilege         LocalSystem

 

 

 

Windows XP with Service Pack 2:

Application Event Log and custom event logs

   ACE Type      Principal           Accesses
   ------------  ------------------  ------------
  *D
eny          Anonymous           All Access
  *
Deny          Guests              All Access
   
Allow         LocalSystem         Full Control
   Allow         Administrators      Read, Clear
   Allow         Backup Operators    Backup
   Allow         Server Operators    Read, Clear
   Allow         Everyone            Read
   Allow         Administrators      Write
   Allow         LocalService        Write
   Allow         NetworkService      Write
   Allow         Server Operators    Write
   Allow         Everyone            Write

* only if RestrictGuestAccess is set for this log

 

System Event Log

   ACE Type      Principal           Accesses
   ------------  ------------------  ------------
  *Deny          Anonymous           All Access
  *
Deny          Guests              All Access
   
Allow         LocalSystem         Full Control
   Allow         Administrators      Read, Clear
   Allow         Backup Operators    Backup
   Allow         Server Operators    Read, Clear
   Allow         Everyone            Read
   Allow         Administrators      Write
   Allow         LocalService        Write
   Allow         NetworkService      Write

* only if RestrictGuestAccess is set for this log

Security Event Log

   ACE Type      Principal           Accesses
   ------------  ------------------  ------------
  *Deny          Anonymous           All Access
  *
Deny          Guests              All Access
   

Allow         LocalSystem         Full Control
   Allow         Administrators      Read, Clear

 

* only if RestrictGuestAccess is set for this log

Access to the security event log is governed by SeSecurityPrivilege (aka "Manage Audit and Security Log").  Holders of the privilege have Read, Clear, and Backup permission.  Holders of SeAuditPrivilege (aka "Generate Security Audit") can write to the log via internal LSA APIs only.  LocalSystem can not write to the security event log via the ReportEvent API regardless of permission.

By default, these are the privilege assignments:

SeSecurityPrivilege      Administrators, LocalSystem
SeAuditPrivilege         LocalService, NetworkService,
                         LocalSystem

Windows Server 2003:

Windows Server 2003 introduced configurable event log ACLs via the CustomSD registry value.

Here are the defaults, including the equivalent SDDL:

Application Event Log and custom event logs

O:BAG:SYD:
 *(D;;0xf0007;;;AN)  // (Deny) Anonymous:All Access
 *(D;;0xf0007;;;BG)  // (Deny) Guests:All Access
  (A;;0xf0007;;;SY)  // LocalSystem:Full
  (A;;0x7;;;BA)      // Administrators:Read,Write,Clear
  (A;;0x7;;;SO)      // Server Operators:Read,Write,Clear
  (A;;0x3;;;IU)      // INTERACTIVE LOGON:Read,Write
  (A;;0x3;;;SU)      // SERVICES LOGON:Read,Write
  (A;;0x3;;;S-1-5-3) // BATCH LOGON:Read,Write

 

* only if RestrictGuestAccess is set for this log

System Event Log

O:BAG:SYD:
 *(D;;0xf0007;;;AN)  // (Deny) Anonymous:All Access
 *(D;;0xf0007;;;BG)  // (Deny) Guests:All Access
  (A;;0xf0007;;;SY)  // LocalSystem:Full
  (A;;0x7;;;BA)      // Administrators:Read,Write,Clear
  (A;;0x5;;;SO)      // Server Operators:Read,Clear
  (A;;0x1;;;IU)      // INTERACTIVE LOGON:Read
  (A;;0x1;;;SU)      // SERVICES LOGON:Read
  (A;;0x1;;;S-1-5-3) // BATCH LOGON:Read
  (A;;0x2;;;LS)      // LocalService:Write
  (A;;0x2;;;NS)      // NetworkService:Write

* only if RestrictGuestAccess is set for this log

Security Event Log

O:BAG:SYD:
 *(D;;0xf0007;;;AN)  // (Deny) Anonymous:All Access
 *(D;;0xf0007;;;BG)  // (Deny) Guests:All Access
  (A;;0xf0007;;;SY)  // LocalSystem:Full
  (A;;0x7;;;BA)      // Administrators:Read,Write**,Clear

 

As with Windows XP and Windows 2000, privilege also allows access to the security log.  SeSecurityPrivilege allows Read and Clear access to the security event log.

* only if RestrictGuestAccess is set for this log
** Regardless of permissions in the security event log ACL, SeAuditPrivilege is required to write to the security event log, and all writes can only occur via audit APIs (e.g. AuthzReportSecurityEvent), not through event log APIs (e.g. ReportEvent).

 

Starting with Windows Vista, you can actually enumerate the ACL on any log with the WEVTUTIL.EXE utility (running in an Administrator command prompt).  As always, posession of SeAuditPrivilege allows write to the security event log regardless of ACL, and posession of SeSecurityPrivilege allows read and clear of the security event log regardless of ACL.

Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, and beyond:

C:\Windows\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 786432000
publishing:
  fileMax: 1

UPDATE 2006-03-07 - Added hyperlink to SDDL description

UPDATE 2011-05-24 - Added information for post-WS03 releases

Comments
  • Note to self: Eric has a good post about the default ACLs on the Windows event log, as taken directly from the source code. Included is the Windows Server 2003 defaults, including the equivalent SDDL. Useful information to compare to my hardening code
  • Eric Fitz took the trouble to search the Windows sources for default access control lists of the various event logs. He posted his findings for Windows 2000, XP with Service Pack 2 and Windows Server 2003 in the Windows Auditing...
  • What about windows 2008?

  • Hi Fred,

    Updated.

Page 1 of 1 (4 items)
Leave a Comment
  • Please add 3 and 2 and type the answer here:
  • Post