James- I think that the riskiest thing that someone can get out of the security logs is information on all of the user accounts and groups within your domain. Since there isn't a way to block this information if they have access to the live logs, it may not be something the other companies would look too kindly on. Once you know user accounts, a persistent ill-intentioned person could try to guess passwords or at the least, lockout accounts.
There is a user right in Win2K called Manage auditing and security logs that appears to give access to the security log without allowing the ability to clear the log, but again, giving live access to the whole log may not be a great idea. What might be a better idea is do some kind of automated, filtered dump of the event log data that is specific to just their user accounts and for a specific event id. You should be able to create a script using dumpel.exe and maybe some regex scripting to do what you need. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 8:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Security Logs This is my first posting so please be gentle. We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
