Secure Your Event Logs
Keep your system’s logs from being tampered with.
Windows has some very powerful logging features. Unfortunately, by default the event logs are not protected against unauthorized access or modification. You may not realize that even though you have to view the logs through the Event Viewer, the event logs are simply regular files just like any other. To secure them, all we have to do is locate them and apply the proper ACLs.
Unless their location has been changed through the registry, you
should be able to find the logs in the
%SystemRoot%\system32\config
directory.
The three files that correspond to the Application Log, Security Log,
and System Log are AppEvent.Evt
,
SecEvent.Evt
, and
SysEvent.Evt
, respectively. Now, apply ACLs to
limit access to only Administrator accounts. You can do this by
bringing up the Properties dialog for the files and clicking the
Security tab. After you’ve done this, remove any
users or groups other than Administrators and SYSTEM from the top
pane.
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.