20.49 Ensure 'Permissions for the Security Event Log must prevent access by non-privileged accounts'

Information

This setting restricts permissions to the Security Event Log for all non-privileged users.

The STIG recommended state for this setting is: Eventlog - Full Control SYSTEM - Full Control and Administrators - Full Control

Restricting permissions on the Security Event Log will prevent non-privileged users from viewing and deleting the log. Preserving an audit trail of system activity can help identify possible compromises, detect attacks, and troubleshoot system performance and configuration errors.

Solution

To establish the recommended configuration, set the NTFS permissions on the file below to Eventlog - Full Control SYSTEM - Full Control and Administrators - Full Control :

%SystemRoot%\ System32\winevt\Logs\Security.evtx

Note: If the location of the event logs has been changed, when adding permissions, the event log user, Eventlog must be entered as NT Service\Eventlog

Impact:

Non-privileged accounts will not be able to view or delete the Security Event Log.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(4)

Plugin: Windows

Control ID: b9b5446653eb87713f2354fc2ac0357ddbfec6fa9b6ce57a40613b89719fc283