Defintely, if you are offloading your logs to another device ( which is a good practice, then they should be secured ( encryption) (Probably AES 128bit FIPS 140-2 standard)
But I agree the auditor should give you more guidance accordingly so that you can make a proper risk determination. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, May 11, 2011 11:15 AM To: NT System Admin Issues Subject: Re: Encrypting Event Logs I have no idea where the auditor was coming from. I'm hoping to get additional, more formal information. - Sean On Tue, May 10, 2011 at 11:46 AM, Andrew S. Baker <asbz...@gmail.com> wrote: Encrypt them from who? They're not accessible unless the machine is off and one has physical access... Ask them if they have a reference for any tools to encrypt them... I could see if you were forwarding them via syslog and they wanted those encrypted... ASB (Professional Bio <http://about.me/Andrew.S.Baker/bio> ) Harnessing the Advantages of Technology for the SMB market... On Tue, May 10, 2011 at 3:43 PM, Sean Martin <seanmarti...@gmail.com> wrote: Good morning/afternoon, My manager has requested I look for ways to "encrypt the event logs on our DCs". Apparently during one of our many audits (governing body to remain nameless) one of the auditors insisted that we should be encrypting the event logs on our DCs. I have since requested a formal finding be provided by the auditor indicating the perceived risks so that I can first identify if we have any mitigating controls already in place. With that, I thought I would start looking around for specific solutions. We're currently running Windows 2003 DCs in a Windows 2003 Native AD environment. I'm not finding a whole lot of solutions specific to encrypting "event logs". We are planning on introducing Windows 2008 R2 DCs this year so I will research bit locker, but, I'm concered about the inter-operability with Symantec SIM. I'm still working with very little information so I'm probably missing a lot of content. I guess I would just like to find out if anyone else has received similiar directives from an audit and what solutions or mitigating controls helped satisfy the auditor's concerns. - Sean ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin