I think the confusion with that auditor may be revolving around taking protected as implying encrypted.
There is a generic audit concept that system logs should be protected, I have had to explain on occasion to big 3 auditors how the windows security logs on DCs are protected from prying eyes by the OS architecture and controlled through the "Manage auditing and security log" permission (SeSecurityPrivilege) I dealt with portions the annual audit many moons ago when I was on a temp assignment to our CU and the auditors that came in clearly were far more financially schooled than technically. We had at least 5 server OSs running so it was a challenge to explain some of the subtleties to them. If they are used to other OSs that log in plain text and/or seeing syslogs cast about all over the place in plain text it can be a valid concern. It's fairly easy to glean a few valid username/password pairs from failed logins on a DC if you can see them. From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, May 11, 2011 8:18 AM To: NT System Admin Issues Subject: Re: Encrypting Event Logs This would fall under NCUA standards. I believe they mirror most of the CIS standards. I would understand if they came in and said we should have full drive encryption on certain servers. It was the statement indicating that our event logs should be encrypted that threw me. - Sean On Tue, May 10, 2011 at 12:04 PM, Christopher Bodnar <christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote: Interesting, that's the first time I've heard a requirement to have just the event logs encrypted. When your auditors come in do they reference any standards such as CIS, DISA, NIST ? If this is a real requirement, I think it might make sense to coordinate the upgrade to 2008 and enabling BitLocker instead of going through the hassle of bringing in a 3rd party application. Although I don't know the scope or size of your organization, so that might not be possible. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> Phone: 610-807-6459<tel:610-807-6459> Fax: 610-807-6003<tel:610-807-6003> From: Sean Martin <seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Date: 05/10/2011 03:43 PM Subject: Encrypting Event Logs ________________________________ Good morning/afternoon, My manager has requested I look for ways to "encrypt the event logs on our DCs". Apparently during one of our many audits (governing body to remain nameless) one of the auditors insisted that we should be encrypting the event logs on our DCs. I have since requested a formal finding be provided by the auditor indicating the perceived risks so that I can first identify if we have any mitigating controls already in place. With that, I thought I would start looking around for specific solutions. We're currently running Windows 2003 DCs in a Windows 2003 Native AD environment. I'm not finding a whole lot of solutions specific to encrypting "event logs". We are planning on introducing Windows 2008 R2 DCs this year so I will research bit locker, but, I'm concered about the inter-operability with Symantec SIM. I'm still working with very little information so I'm probably missing a lot of content. I guess I would just like to find out if anyone else has received similiar directives from an audit and what solutions or mitigating controls helped satisfy the auditor's concerns. - Sean ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin