|
Posted by Randy B on November 15, 2007, 7:36 pm
Please log in for more thread options
I have a log aggregation application that uses WMI to monitor security event
logs on Windows servers. The documentation says it requires a domain admin
account or local administrator account for access to the security logs, but I
would like to use the concept of "least privelege" and use a service account
instead with only the minimum rights and priveleges needed. What would I need
to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
the application to query the security event logs using WMI for all my servers
(domain controllers, member servers, and workgroup servers)?
Thanks!
|
|
Posted by Martin X. on November 16, 2007, 12:31 pm
Please log in for more thread options
show/hide quoted text
Try this: Go to Start > Run > secpol.msc > enter. The Local Security
Settings MMC will open. Go to Local Policies > User Rights Assignment > in
the right pane will be Manage auditing and security log. If you add the
account you created to that, it should be able to access the logs through
any means, interactively or via scripting with WMI. If that works ok with
your app, then set that in the GPO for the OU where the servers are. I would
suggest creating a domain-level group and then giving that group the rights.
Add the user account to that group afterwards.
--
Regards,
Martin X.
Microsoft Certified Systems Administrator: Messaging
Philadelphia, Pennsylvania, USA
I have a log aggregation application that uses WMI to monitor security event
logs on Windows servers. The documentation says it requires a domain admin
account or local administrator account for access to the security logs, but
I
would like to use the concept of "least privelege" and use a service account
instead with only the minimum rights and priveleges needed. What would I
need
to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
the application to query the security event logs using WMI for all my
servers
(domain controllers, member servers, and workgroup servers)?
Thanks!
|
|
Posted by Randy B on November 16, 2007, 2:52 pm
Please log in for more thread options Thanks, Martin. I have tried the following based upon several other posts
from different forums and none of them have worked. My user is a service
account in the Domain Users group.
- Grant Manage auditing and security log
- Grant Impersonate a client after authentication
- Allow log on locally
- Back up files and directories
- Add user to Event Log registry hive with full permission
Any other suggestions?
"Martin X." wrote:
show/hide quoted text
> Try this: Go to Start > Run > secpol.msc > enter. The Local Security
> Settings MMC will open. Go to Local Policies > User Rights Assignment > in
> the right pane will be Manage auditing and security log. If you add the
> account you created to that, it should be able to access the logs through
> any means, interactively or via scripting with WMI. If that works ok with
> your app, then set that in the GPO for the OU where the servers are. I would
> suggest creating a domain-level group and then giving that group the rights.
> Add the user account to that group afterwards.
>
> --
> Regards,
>
> Martin X.
> Microsoft Certified Systems Administrator: Messaging
> Philadelphia, Pennsylvania, USA
>
> I have a log aggregation application that uses WMI to monitor security event
> logs on Windows servers. The documentation says it requires a domain admin
> account or local administrator account for access to the security logs, but
> I
> would like to use the concept of "least privelege" and use a service account
> instead with only the minimum rights and priveleges needed. What would I
> need
> to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
> the application to query the security event logs using WMI for all my
> servers
> (domain controllers, member servers, and workgroup servers)?
>
> Thanks!
>
>
>
|
|
Posted by Martin X. on November 16, 2007, 4:00 pm
Please log in for more thread options I never tried that myself, but it looked like it "should" work. Anyway,
after you did all that, were you able to log on with the service account and
view the security log? If you can't using that method, then it will probably
prevent you from doing it via WMI also.
Have you tried adding the service account to one of the built-in groups,
Backup Operators or Server Operators? That will give the account more
rights/permissions than it really needs, but it's still not an admin. Other
than that I'm not sure what else you could try.
--
Regards,
Martin X.
Microsoft Certified Systems Administrator: Messaging
Philadelphia, Pennsylvania, USA
Thanks, Martin. I have tried the following based upon several other posts
from different forums and none of them have worked. My user is a service
account in the Domain Users group.
- Grant Manage auditing and security log
- Grant Impersonate a client after authentication
- Allow log on locally
- Back up files and directories
- Add user to Event Log registry hive with full permission
Any other suggestions?
"Martin X." wrote:
show/hide quoted text
> Try this: Go to Start > Run > secpol.msc > enter. The Local Security
> Settings MMC will open. Go to Local Policies > User Rights Assignment > in
> the right pane will be Manage auditing and security log. If you add the
> account you created to that, it should be able to access the logs through
> any means, interactively or via scripting with WMI. If that works ok with
> your app, then set that in the GPO for the OU where the servers are. I
> would
> suggest creating a domain-level group and then giving that group the
> rights.
> Add the user account to that group afterwards.
> --
> Regards,
> Martin X.
> Microsoft Certified Systems Administrator: Messaging
> Philadelphia, Pennsylvania, USA
> I have a log aggregation application that uses WMI to monitor security
> event
> logs on Windows servers. The documentation says it requires a domain admin
> account or local administrator account for access to the security logs,
> but
> I
> would like to use the concept of "least privelege" and use a service
> account
> instead with only the minimum rights and priveleges needed. What would I
> need
> to grant to this service account on Windows Server 2003 SP1 and SP2 to
> allow
> the application to query the security event logs using WMI for all my
> servers
> (domain controllers, member servers, and workgroup servers)?
> Thanks!
>
|
|
Posted by Anthony on November 17, 2007, 2:00 am
Please log in for more thread options Randy,
There are a few interesting articles on this:
http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx
http://support.microsoft.com/default.aspx?kbid=323076
Hope that helps,
Anthony, http://www.airdesk.co.uk
show/hide quoted text
> Thanks, Martin. I have tried the following based upon several other posts
> from different forums and none of them have worked. My user is a service
> account in the Domain Users group.
> - Grant Manage auditing and security log
> - Grant Impersonate a client after authentication
> - Allow log on locally
> - Back up files and directories
> - Add user to Event Log registry hive with full permission
> Any other suggestions?
> "Martin X." wrote:
>> Try this: Go to Start > Run > secpol.msc > enter. The Local Security
>> Settings MMC will open. Go to Local Policies > User Rights Assignment >
>> in
>> the right pane will be Manage auditing and security log. If you add the
>> account you created to that, it should be able to access the logs through
>> any means, interactively or via scripting with WMI. If that works ok with
>> your app, then set that in the GPO for the OU where the servers are. I
>> would
>> suggest creating a domain-level group and then giving that group the
>> rights.
>> Add the user account to that group afterwards.
>> --
>> Regards,
>> Martin X.
>> Microsoft Certified Systems Administrator: Messaging
>> Philadelphia, Pennsylvania, USA
>> I have a log aggregation application that uses WMI to monitor security
>> event
>> logs on Windows servers. The documentation says it requires a domain
>> admin
>> account or local administrator account for access to the security logs,
>> but
>> I
>> would like to use the concept of "least privelege" and use a service
>> account
>> instead with only the minimum rights and priveleges needed. What would I
>> need
>> to grant to this service account on Windows Server 2003 SP1 and SP2 to
>> allow
>> the application to query the security event logs using WMI for all my
>> servers
>> (domain controllers, member servers, and workgroup servers)?
>> Thanks!
>>
|
| Similar Threads | Posted | | Security Event Logs | June 10, 2005, 8:36 am |
| security event logs in DC as well ? SOS | May 3, 2006, 6:06 pm |
| Event ID 577 Filing Security Logs | July 19, 2006, 10:45 am |
| SNMP Security Event Logs | April 24, 2009, 1:18 pm |
| Security Event Logs being cleared by User=SYSTEM, Cannot dermine p | November 6, 2009, 8:59 pm |
| Rights to event logs | June 15, 2005, 2:03 pm |
| Re: Access Deined event logs | October 26, 2005, 9:12 pm |
| Access Deined event logs | October 25, 2005, 8:51 am |
| RE: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10 | November 19, 2007, 7:38 am |
| RE: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10 | February 21, 2008, 4:20 pm |
|
XML Sitemap
Settings MMC will open. Go to Local Policies > User Rights Assignment > in