HowTo: Specify a security log management group w/o admin rights

Jaytee Bushwacker · 04-15-2008, 06:33 AM

Since this was -quite- the problem to implement I thought I would share it here on the forums.

Problem: I needed to allow a specified group permission to review, archive and clear the security event log weekly on classified winxp machines. I could not give this group administrative control over the system.

Resolution:

The user (or group) has to have the following permissions:

1) member of backup operators group
2) be assigned the privilege "Manage Auditing and Security" log via domain or local policy
3) (and the one I never would have guessed) User must have Full permissions
to the key that governs the Security Log:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlo g\Security

With that in place this script will accept arguments of a path and filename (no extension) and save the current security log then clear it. I use this in conjunction with xcacls.vbs to then set permissions on the resulting file so that is is read only by everyone and only the security auditor group has full control. I do utilize these scripts in a VB application behnd the scenes so the users never know whats going on they just push the "Archive System Security Log" button and all is well with the world.

Interesting Side Note: Just giving a user the "Manage Auditing and Security" right via policy allows a user to
1) view the security event log
2) clear the security event log

but, and this is a huge but, they cannot save the security event log! What is up with that? They can clear it but not save it...which do you think is a more important security concern...clearing seems the obvious choice to me.

The Script:
---------------------------------------------------------------
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"

'Display args passed when debugging
'Wscript.echo "Argument 0 - fileName :" & fileName
'Wscript.echo "Argument 1 - logType :" & logType
'Wscript.echo "fullPathName :" & fullPathName

strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)} !\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")

For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)

If errBackupLog = 0 Then
Wscript.Echo "The Security event log was backed up."
objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
Wscript.Echo "Invalid Parameter in call"
End If

If errBackupLog = 183 Then
Wscript.Echo "The archive file already exists."
End If
Next
----------------------------------------------------------------

04-15-2008, 06:33 AM	#1 (permalink)
Jaytee Bushwacker FoH Member with a rod in his pants Join Date: Jan 2002 Location: Forest, MS Posts: 238 +0 Internets	HowTo: Specify a security log management group w/o admin rights Since this was -quite- the problem to implement I thought I would share it here on the forums. Problem: I needed to allow a specified group permission to review, archive and clear the security event log weekly on classified winxp machines. I could not give this group administrative control over the system. Resolution: The user (or group) has to have the following permissions: 1) member of backup operators group 2) be assigned the privilege "Manage Auditing and Security" log via domain or local policy 3) (and the one I never would have guessed) User must have Full permissions to the key that governs the Security Log: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlo g\Security With that in place this script will accept arguments of a path and filename (no extension) and save the current security log then clear it. I use this in conjunction with xcacls.vbs to then set permissions on the resulting file so that is is read only by everyone and only the security auditor group has full control. I do utilize these scripts in a VB application behnd the scenes so the users never know whats going on they just push the "Archive System Security Log" button and all is well with the world. Interesting Side Note: Just giving a user the "Manage Auditing and Security" right via policy allows a user to 1) view the security event log 2) clear the security event log but, and this is a huge but, they cannot save the security event log! What is up with that? They can clear it but not save it...which do you think is a more important security concern...clearing seems the obvious choice to me. The Script: --------------------------------------------------------------- 'Arguments fileName = WScript.Arguments.Item(0) logType = WScript.Arguments.Item(1) fullPathName = filename & ".evt" 'Display args passed when debugging 'Wscript.echo "Argument 0 - fileName :" & fileName 'Wscript.echo "Argument 1 - logType :" & logType 'Wscript.echo "fullPathName :" & fullPathName strComputer = "." Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup,security)} !\\" & strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='" & logType & "'") For Each objLogfile in colLogFiles errBackupLog = objLogFile.BackupEventLog(fullPathName) If errBackupLog = 0 Then Wscript.Echo "The Security event log was backed up." objLogFile.ClearEventLog() End If If errBackupLog = 8 Then Wscript.Echo "Privilege missing!" End If If errBackupLog = 21 Then Wscript.Echo "Invalid Parameter in call" End If If errBackupLog = 183 Then Wscript.Echo "The archive file already exists." End If Next ---------------------------------------------------------------- __________________

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: