Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Security
        Securing your Event logs

Section(s): Security
Published on Jun 07, 2007.
Last Modified on Jun 07, 2007.
Last Modified by Mitch Tulloch.
Rated 5 out of 5 based on 1 votes.

Preventing rogue administrators from tampering with Event logs.

Event logs can easily be tampered with if a user belongs to the local Administrators group on a system. For example, you can disable the Event Log service, reboot your machine, and mess around with the event log files. Or even easier, you can download a tool like WinZapper (see http://www.securityfocus.com/tools/1726) which will let you delete individual events from your event logs even while your system is still running!

How can you prevent rogue Administrators then from modifying event logs on your system? By consolidating the logs on your systems to a safe and secure central location. One great way for doing this is to use Audit Collection Services (ACS), a part of Microsoft System Center Operations Manager 2007, see http://technet.microsoft.com/en-us/library/bb381258.aspx for details. Archiving your centralized logs offline at a secure site will add even more security to this scenario.

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more information see www.mtit.com.

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .