Tuesday, April 29, 2008

Ensure event log access rights on Windows 2003


1. Check if event source you wish to log into exists or create event source in the registry

Windows Registry Editor Version 5.00


Copy and paste the above into the notepad and save with ANSI encoding with .reg extension.

2. Identify which windows user your application runs under.

//TODO:(SD) Provide guidance and tools

3. Knowing the name of user or group, find out the SID of the user/group from point #2.

User may have a well-known SID : http://support.microsoft.com/kb/243330


use powershell: http://www.microsoft.com/technet/scriptcenter/resources/pstips/feb08/pstip0201.mspx
(Doesn't require knowledge of user's password)

use vbscript: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/localusers/

use whoami:

        use runas to run cmd console as the app pool user
        use whoami /all when running the console as a designated user to find the SID

use .net code:

NTAccount account = new NTAccount("domain\\username")

System.Console.WriteLine("SID: " + account.Translate(typeof(System.Security.Principal.SecurityIdentifier)).Value);

Use SID of either the user or the required group it belongs to.

4. Append the required SDDL string to the current SDDL value of the eventlog registry CustomSD entry (e.g. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ if you set up your event source in the Application node):

(A;; 0xY;;;SID)

Where 0xY is access flags field is calculated as a bitmask of:

• 1= Read
• 2 = Write
• 4 = Clear

So for example 0x3 gives read and write access. More info on SDDL: http://support.microsoft.com/kb/323076

SID is the SID value found in step 3.


Post a Comment