Click here to get back home

System Logs: Remote Access for Low-Privilege Account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
System Logs: Remote Access for Low-Privilege Account GreggMB 10-22-2006
Get Chitika Premium
Posted by GreggMB on October 22, 2006, 12:02 pm
Please log in for more thread options
 This is about remote access to Application and System logs (and not access to
Security log that's managed through Policy).

Operating System: Windows 2003 SP1

PROBLEM:
I need to have a USER (and not Administrator) to have access to Application
& System logs. That user is "reviewing official" and must not be able to
gain administrative access to the server.
Important: no users are allowed to logon to the server at the console (not
an option), users are allowed to access the server from the Network ONLY.

Regardless of many efforts (policies, custom GPO for access to these logs =
"CustomSD" if you know what I mean, Remote Registry access = "winreg"
permissions, verification of DCOM which doesn't seem to have anything to do
with this) I cannot get to the point where user could view the logs (Sys &
App) from remote system.

Another important note: server is "stand alone" and "matching credential" is
used.

CONSISTENT EFFECT:
This user account has absolutely no problem connecting to the server from
remote system (verified and validated). User has no problem viewing Security
Log remotely (through Local Policy - "User Rihts" set on the server).
Therefore "matching credential" is not an issue at all.

ADDITIONAL OBSERVATION:
1. I analyzed IP pockets containing request to access System and Application
log. To my surprise these packets (15 frames total) contains reference to
"C$" ...

2. I've enabled FULL AUDITION (all options) and "perfected" this connection
from remote system to the point that there is simply NO MORE FAILURES logged
on the server. This is regardless of the fact that every time the user
attempts to view App or Sys [remote] log he gets "Access denied"
message/error.

I'm looking for any input.

Serious and very technical advice only please, this is not about "basics".
It is possible that what I'm trying to achieve is simply blocked "by design"
and that I won't be able to get this work (which would be sort of very
disappointing as this introduces unnecessary risk).

Thanks for your attention!

Gregg M. B.


Posted by GreggMB on October 22, 2006, 12:09 pm
Please log in for more thread options
 P.S.:
I meant to say that I enabled FULL AUDIT (and not "AUDITION") on the server
- sorry, I'm kind of rushing with this...


"GreggMB" wrote:

> This is about remote access to Application and System logs (and not access to
> Security log that's managed through Policy).
>
> Operating System: Windows 2003 SP1
>
> PROBLEM:
> I need to have a USER (and not Administrator) to have access to Application
> & System logs. That user is "reviewing official" and must not be able to
> gain administrative access to the server.
> Important: no users are allowed to logon to the server at the console (not
> an option), users are allowed to access the server from the Network ONLY.
>
> Regardless of many efforts (policies, custom GPO for access to these logs =
> "CustomSD" if you know what I mean, Remote Registry access = "winreg"
> permissions, verification of DCOM which doesn't seem to have anything to do
> with this) I cannot get to the point where user could view the logs (Sys &
> App) from remote system.
>
> Another important note: server is "stand alone" and "matching credential" is
> used.
>
> CONSISTENT EFFECT:
> This user account has absolutely no problem connecting to the server from
> remote system (verified and validated). User has no problem viewing Security
> Log remotely (through Local Policy - "User Rihts" set on the server).
> Therefore "matching credential" is not an issue at all.
>
> ADDITIONAL OBSERVATION:
> 1. I analyzed IP pockets containing request to access System and Application
> log. To my surprise these packets (15 frames total) contains reference to
> "C$" ...
>
> 2. I've enabled FULL AUDITION (all options) and "perfected" this connection
> from remote system to the point that there is simply NO MORE FAILURES logged
> on the server. This is regardless of the fact that every time the user
> attempts to view App or Sys [remote] log he gets "Access denied"
> message/error.
>
> I'm looking for any input.
>
> Serious and very technical advice only please, this is not about "basics".
> It is possible that what I'm trying to achieve is simply blocked "by design"
> and that I won't be able to get this work (which would be sort of very
> disappointing as this introduces unnecessary risk).
>
> Thanks for your attention!
>
> Gregg M. B.
>

Similar ThreadsPosted
Reading Security Event Logs with Service Account November 15, 2007, 7:36 pm
Re: Access Deined event logs October 26, 2005, 9:12 pm
Access Deined event logs October 25, 2005, 8:51 am
"Force shutdown from a remote system" October 13, 2006, 3:26 pm
RDP : restrict administrator to access system without my permission through rdp June 15, 2006, 6:49 am
Minimum File System Access Needed for a Service? December 6, 2005, 3:14 am
Giving a device access to EFS (Encrypting File System) April 28, 2006, 8:01 pm
Access to NT4 File Ressources denied from Windows 2003 System April 7, 2006, 2:49 am
Controlling access through a remote access policy August 19, 2005, 7:00 am
Is local system account member of local Administrators group? June 21, 2005, 11:33 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap