Export (0) Print
Expand All
0 out of 5 rated this helpful - Rate this topic

Security Ramifications of Event Logs

Access to the event logs is determined by the account under which the application is running. The LocalSystem account is a special account that service applications can use. The Administrator account consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems.

The following table shows the accounts that are granted Read, Write, and Clear access to each log.

LogAccountAccess
ApplicationLocalSystemRead
Write
Clear
 AdministratorRead
Write
Clear
 ServerOpRead
Write
Clear
 WorldRead
Write
SecurityLocalSystemRead
Write
Clear
 AdministratorRead
Write
 WorldNone
SystemLocalSystemRead
Write
Clear
 AdministratorRead
Write
Clear
 WorldRead
Clear
 ServerOpRead

In addition, users can read and clear the Security log if they have been granted one of the following:

  • The "manage auditing and Security log" user right.
  • The SE_AUDIT_NAME privilege. For more information, see Authorization Data Types and Constants.

For more information, see your Windows documentation.

If you are using event logs in an ASP.NET application, access to the event logs is through another account, the ASPNET account. The default settings of the ASPNET user account restrict access to the event logs. The ASPNET user account does not have permission to create new categories, though it can add entries to an existing log. You can use impersonation with the ASPNET account to allow creation of new categories. The impersonation identity must have sufficient privileges to create categories. If your application needs event logs that can be specified before deployment, they can be created by the deployment project. For more information, see ASP.NET Web Application Security.

When you create an event log, be aware that the resource may already exist. Another process, perhaps a malicious one, may have already created the resource and have access to it. When you put data in the event log, the data is available to the other process. For information on existing event logs, see Determining If Specific Event Logs Exist.

See Also

Introduction to the EventLog Component

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.