Information
This setting restricts permissions to the Event Viewer, which is used to view and manipulate log data.
The STIG recommended state for this setting is: TrustedInstaller - Full Control Administrators - Read & Execute SYSTEM - Read & Execute Users - Read & Execute ALL APPLICATION PACKAGES - Read & Execute and ALL RESTRICTED APPLICATION PACKAGES - Read & Execute
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation of audit information.
Solution
To establish the recommended configuration, set the NTFS permissions on the file below to TrustedInstaller - Full Control Administrators - Read & Execute SYSTEM - Read & Execute Users - Read & Execute ALL APPLICATION PACKAGES - Read & Execute and ALL RESTRICTED APPLICATION PACKAGES - Read & Execute :
%SystemRoot%\ System32\Eventvwr.exe
Impact:
Users will be able to open Event Viewer and view logs, but not able to delete logs.