Information
This policy setting restricts permissions to the Application Event Log for all non-privileged users.
The STIG recommended state for this setting is: Eventlog - Full Control SYSTEM - Full Control and Administrators -Full Control
Restricting permissions on the Application Event Log will prevent non-privileged users from viewing and deleting the log. Preserving an audit trail of system activity can help identify possible compromises, detect attacks, and troubleshoot system performance and configuration errors.
Solution
To establish the recommended configuration, set the NTFS permissions on the file below to Eventlog - Full Control SYSTEM - Full Control and Administrators - Full Contro l:
%SystemRoot%\ System32\winevt\Logs\Application.evtx
Note: If the location of the event logs has been changed, when adding permissions, the event log user, Eventlog must be entered as NT Service\Eventlog
Impact:
Non-privileged accounts will not be able to view or delete the Application Event Log.