Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

Apologies for not blogging for sometime. I have been away on vacation, out of the country on training plus work commitments so add that up and it equals and enforced hiatus. Plus of course do not forget the Volcano :).

Well I am back now and have an interesting information around Event Log access and the way thing have changed in Windows 2008 . This comes out of some work I have been doing with my customer.

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

I have extrapolated the information contained in the following two KBarticles. It is not easy as it is using service discretionary access control lists.

https://support.microsoft.com/kb/323076 plus https://support.microsoft.com/kb/914392  .

This works for both Domain Controllers and Member servers. Therefore when it talks in the body of the steps around Default Domain Group Policies , this can be supplanted with the relevant Group Policy object.

You will also need to download a Name to Sid type utility. Details of this here.

https://support.microsoft.com/kb/276208

There are others around externally and internally to Microsoft. The internal one would only be available to you if you raise a Premier Support Call as part of your premier contract if you have one.

Plus of course you have the Windows Sysinternals

https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx 

As per the article follow the below steps;

Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory

Important: To view the group policy settings that are described in this article in  the Group Policy editor, first complete the following steps, and then continue to the "Use Group Policy to Set Your Application and System Log Security" section:

1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf

folder.

2. Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

3. Add the following lines to the [Strings] section:

AppCustomSD="Eventlog:Security descriptor for Application event log"

SecCustomSD="Eventlog:Security descriptor for Security event log"

SysCustomSD="Eventlog:Security descriptor for System event log"

DSCustomSD="Eventlog:Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32  scecli.dll command.

5. Start Gpedit.msc, and then double-click the following branches to expand them:

Computer Configuration Windows Settings Security Settings Local Policies Security Options

6. View the right panel to find the new "Eventlog" settings.

7. Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings

3) Use a  name2sid utilitily to find the SID of the group for which you want to give access to

the event viewer.

4) Open “Eventlog: Security descriptor for Application event log”. Click on Define

this policy setting.

Copy the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Directory

Service\CustomSD etc…

Copy the above value for each of the event logs (like application, system, security

etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above

policy

Here 0x3 indicates read & write privileges. The write privileges are required only

if the group needs to write events into the event logs (like an application service

using this user account)

Replace 0x3 with 0x1 - if this group needs only READ access to the event viewer

5) Run GPupdate

As an FYI see below for the explanation of the codes;

Replace 0x3 with 0x1 - If this group needs only READ access to the event viewer
5) Run GPupdate on the DC
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL,
WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.
The specific event log access mask bits are:
0x0001 ELF_LOGFILE_READ Permission to read log files.
0x0002 ELF_LOGFILE_WRITE Permission to write log files.

However for Windows 2008 Life gets much easier

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

However if you do not want to give access to ALL event logs you still have to resort to using SDDL

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility .

For Example

If you need to define access to just the System event log on our Windows 2008 Server.

1. open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

2. Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

3.  Copy the Interactive User (IU) rights and add your user or group  to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

In addition you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.