Ah sorry, I meant without MACS. I.E. Giving manage security
log rights. While it will let you read the security logs it also allows writing
and clearing. The clearing will still show that there was tampering but if you
write enough bogus events you can be as effective as
clearing.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Thursday, January 08, 2004 3:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows 2000 Security Log Rights
possible, but not without leaving tracks, as MACS will
1. Detect gaps in the data transmitted from the agent
to the collector (which is usually a different machine) and alerts the
auditor
2. Signs and encrypts communication between the agent and the collector to ensure that information that is received has not been tampered with
3. Disallows local editing of agent configuration as by default the configuration of the agent can only be modified by the collector
2. Signs and encrypts communication between the agent and the collector to ensure that information that is received has not been tampered with
3. Disallows local editing of agent configuration as by default the configuration of the agent can only be modified by the collector
/Guido
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 8. Januar 2004 03:01
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows 2000 Security Log Rights
But in the meanwhile, if you grant access to the
security logs the person with the access can also clear the security log or
write security log entries.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Wednesday, January 07, 2004 5:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows 2000 Security Log Rights
That's where something like MACS comes in (MS Audit
Collector Service) - should be available shortly after SP1 for 2003 (but will
also collect security logs from 2000 machines). You auditor will then be
able to access all collected security event logs from a central database (makes
analysis much easier as well). And you don't need to grant them any special
rights either.
/Guido
From: Burkes, Jeremy [contractor] [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 7. Januar 2004 18:14
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Windows 2000 Security Log Rights
Okay everyone probably a stupid question but here it goes. We have a user who has some rights to domain controllers but not full administrative rights. We want this user to be able to view only the security log. Is there a way to provide just view only rights to the security log. I am assuming this is not possible since it would be in the same section where you find managing auditing and security log in group policy under computer configuration\windows settings\security settings\local policies\user right assignments. But I just wanted to check to see if you guys knew anything different. TIA.
Jeremy
