Security Ramifications of Event Logs

[This documentation is for preview only, and is subject to change in later releases. Blank topics are included as placeholders.]

Access to the event logs is determined by the account under which the application is running. The LocalSystem account is a special account that service applications can use. The Administrator account consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems.

The following table shows the accounts that are granted Read, Write, and Clear access to each log.

In addition, users can read and clear the Security log if they have been granted one of the following:

• The "manage auditing and Security log" user right.

• The SE_AUDIT_NAME privilege. For more information, see your Windows documentation.

If you are using event logs in an ASP.NET application, access to the event logs is through another account, the ASPNET account. The default settings of the ASPNET user account restrict access to the event logs. The ASPNET user account does not have permission to create new categories, though it can add entries to an existing log. You can use impersonation with the ASPNET account to allow creation of new categories. The impersonation identity must have sufficient privileges to create categories. If your application needs event logs that can be specified before deployment, they can be created by the deployment project. For more information, see ASP.NET Web Application Security.

When you create an event log, be aware that the resource may already exist. Another process, perhaps a malicious one, may have already created the resource and have access to it. When you put data in the event log, the data is available to the other process. For information on existing event logs, see How to: Determine If Specific Event Logs Exist.

See Also

Concepts

Introduction to the EventLog Component