Access permissions for event logs must conform to minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1077	2.001	SV-29200r2_rule	ECTP-1	Medium

Description
Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper access permissions are not applied.

STIG	Date
Windows 2003 Domain Controller Security Technical Implementation Guide	2014-06-27

Details

Check Text ( C-51979r1_chk )
Verify the permissions for the Windows event logs. If the permissions for these files are not as restrictive as the permissions listed below, this is a finding. The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder. Administrators - Read & Execute "Auditors" group - Full Control SYSTEM - Full Control Note: See V-1137 for the Auditors group requirement.

Check Text ( C-51979r1_chk )

Verify the permissions for the Windows event logs.
If the permissions for these files are not as restrictive as the permissions listed below, this is a finding.

The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder.

Administrators - Read & Execute
"Auditors" group - Full Control
SYSTEM - Full Control

Note: See V-1137 for the Auditors group requirement.

Fix Text (F-53859r1_fix)
Configure the access permissions on the event logs to the following: The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder. Administrators - Read & Execute "Auditors" group - Full Control SYSTEM - Full Control