RE: Question on Granting service account read access to Domain Controller Eventlogs

[Brian Desmond]

But just look at the upsell opportunities. Now they're going to have to sell 
you something to manage that storage.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: Sean Martin [mailto:seanmarti...@gmail.com]
Sent: Monday, November 01, 2010 6:27 PM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain 
Controller Eventlogs

Ugh, our Information Security team is implementing SSIM right now. I'm not 
directly involved, other than having to provide upwards of 10TB for expected 
storage requirements. I just shudder at anything branded Symantec anymore

- Sean
On Mon, Nov 1, 2010 at 3:02 PM, Free, Bob mailto:r...@pge.com>> 
wrote:
LOL. Leave it to Symantec to be different. I heard a rumor I may be getting 
first-hand experience with it so I may want to pick your brain :)

Rgds

--bob

From: Ken Schaefer [mailto:k...@adopenstatic.com<mailto:k...@adopenstatic.com>]
Sent: Sunday, October 31, 2010 12:36 AM

To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain 
Controller Eventlogs

Hi,

We're implementing SSIM (the Symantec product) and it pulls logs. Apparently it 
scales...

Cheers
Ken

From: Free, Bob [mailto:r...@pge.com<mailto:r...@pge.com>]
Sent: Friday, 29 October 2010 11:09 PM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain 
Controller Eventlogs

I have learned here over the years not to be overly presumptive hence the 
caveat about not understanding the requirements which were a little vague to 
me, particularly the fact that I didn't see an agent mentioned :)

That's also the opposite of the SIEM solutions and MSSPs I've ever worked with 
as well, IME the endpoints push to the collector/aggregator and as I said, I 
don't envision how an aggregator pulling logs scales worth a darn so I asked 
the question.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[Sean Martin]

Ugh, our Information Security team is implementing SSIM right now. I'm not
directly involved, other than having to provide upwards of 10TB for expected
storage requirements. I just shudder at anything branded Symantec
anymore

- Sean

On Mon, Nov 1, 2010 at 3:02 PM, Free, Bob  wrote:

>  LOL. Leave it to Symantec to be different. I heard a rumor I may be
> getting first-hand experience with it so I may want to pick your brain J
>
>
>
> Rgds
>
>
>
> --bob
>
>
>
> *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Sunday, October 31, 2010 12:36 AM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Question on Granting service account read access to Domain
> Controller Eventlogs
>
>
>
> Hi,
>
>
>
> We’re implementing SSIM (the Symantec product) and it pulls logs.
> Apparently it scales…
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* Free, Bob [mailto:r...@pge.com]
> *Sent:* Friday, 29 October 2010 11:09 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Question on Granting service account read access to Domain
> Controller Eventlogs
>
>
>
> I have learned here over the years not to be overly presumptive hence the
> caveat about not understanding the requirements which were a little vague to
> me, particularly the fact that I didn’t see an agent mentioned J
>
>
>
> That’s also the opposite of the SIEM solutions and MSSPs I’ve ever worked
> with as well, IME the endpoints push to the collector/aggregator and as I
> said, I don’t envision how an aggregator pulling logs scales worth a darn so
> I asked the question.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Free, Bob]

LOL. Leave it to Symantec to be different. I heard a rumor I may be
getting first-hand experience with it so I may want to pick your brain J

 

Rgds

 

--bob

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Sunday, October 31, 2010 12:36 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Hi,

 

We're implementing SSIM (the Symantec product) and it pulls logs.
Apparently it scales...

 

Cheers

Ken

 

From: Free, Bob [mailto:r...@pge.com] 
Sent: Friday, 29 October 2010 11:09 PM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

I have learned here over the years not to be overly presumptive hence
the caveat about not understanding the requirements which were a little
vague to me, particularly the fact that I didn't see an agent mentioned
J

 

That's also the opposite of the SIEM solutions and MSSPs I've ever
worked with as well, IME the endpoints push to the collector/aggregator
and as I said, I don't envision how an aggregator pulling logs scales
worth a darn so I asked the question. 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ken Schaefer]

Hi,

We're implementing SSIM (the Symantec product) and it pulls logs. Apparently it 
scales...

Cheers
Ken

From: Free, Bob [mailto:r...@pge.com]
Sent: Friday, 29 October 2010 11:09 PM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain 
Controller Eventlogs

I have learned here over the years not to be overly presumptive hence the 
caveat about not understanding the requirements which were a little vague to 
me, particularly the fact that I didn't see an agent mentioned :)

That's also the opposite of the SIEM solutions and MSSPs I've ever worked with 
as well, IME the endpoints push to the collector/aggregator and as I said, I 
don't envision how an aggregator pulling logs scales worth a darn so I asked 
the question.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Free, Bob]

You may want a peek at using wevtutil as outlined in
http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-admin
istrators-permission-to-read-event-logs-windows-2003-and-windows-2008.as
px

 

I know you got pointed to the old KB about SDDL elsewhere but this also
outlines a different approach for WS2008 and above.

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Friday, October 29, 2010 4:59 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

It has a service that runs as an account that contacts the DC's to read
the logs, this service accounts doesn't run on the DC's but on the
Vericept Console itself. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Friday, October 29, 2010 12:57 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Presumably this product has an agent or uses WinRM or something to
read/pull in the logs in real time, back to a central location for
correlation. The service account that's being used requires permission
to read the logs.

 

Cheers

Ken

 

From: Free, Bob [mailto:r...@pge.com] 
Sent: Friday, 29 October 2010 3:06 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

If your environment is that big how can they look at multiple DCs in
real time and correlate them? 

 

Maybe I don't understand your requirements but it seems like you want to
ship the logs real-time to a SIEM or log management tool managed by the
security team or MSSP, that is a far better way to do it than to grant
access to the logs directly. 

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Thursday, October 28, 2010 6:51 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Its for Vericept, and they need to read the logs in realtime to
correlate what is seen on the network with a user. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Cameron [mailto:cameron.orl...@gmail.com] 
Sent: Thursday, October 28, 2010 9:32 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Could you not just setup a job to copy the security.evtx file to
somewhere else and let them access that?



 

On Thu, Oct 28, 2010 at 2:48 AM, James Rankin 
wrote:

Can you control this by NTFS access to the .evt file itself?

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ &l

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Free, Bob]

I have learned here over the years not to be overly presumptive hence
the caveat about not understanding the requirements which were a little
vague to me, particularly the fact that I didn't see an agent mentioned
J

 

That's also the opposite of the SIEM solutions and MSSPs I've ever
worked with as well, IME the endpoints push to the collector/aggregator
and as I said, I don't envision how an aggregator pulling logs scales
worth a darn so I asked the question. 

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Thursday, October 28, 2010 9:57 PM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Presumably this product has an agent or uses WinRM or something to
read/pull in the logs in real time, back to a central location for
correlation. The service account that's being used requires permission
to read the logs.

 

Cheers

Ken

 

From: Free, Bob [mailto:r...@pge.com] 
Sent: Friday, 29 October 2010 3:06 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

If your environment is that big how can they look at multiple DCs in
real time and correlate them? 

 

Maybe I don't understand your requirements but it seems like you want to
ship the logs real-time to a SIEM or log management tool managed by the
security team or MSSP, that is a far better way to do it than to grant
access to the logs directly. 

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Thursday, October 28, 2010 6:51 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Its for Vericept, and they need to read the logs in realtime to
correlate what is seen on the network with a user. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Cameron [mailto:cameron.orl...@gmail.com] 
Sent: Thursday, October 28, 2010 9:32 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Could you not just setup a job to copy the security.evtx file to
somewhere else and let them access that?



 

On Thu, Oct 28, 2010 at 2:48 AM, James Rankin 
wrote:

Can you control this by NTFS access to the .evt file itself?

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Ente

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

It has a service that runs as an account that contacts the DC's to read
the logs, this service accounts doesn't run on the DC's but on the
Vericept Console itself. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Friday, October 29, 2010 12:57 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Presumably this product has an agent or uses WinRM or something to
read/pull in the logs in real time, back to a central location for
correlation. The service account that's being used requires permission
to read the logs.

 

Cheers

Ken

 

From: Free, Bob [mailto:r...@pge.com] 
Sent: Friday, 29 October 2010 3:06 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

If your environment is that big how can they look at multiple DCs in
real time and correlate them? 

 

Maybe I don't understand your requirements but it seems like you want to
ship the logs real-time to a SIEM or log management tool managed by the
security team or MSSP, that is a far better way to do it than to grant
access to the logs directly. 

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Thursday, October 28, 2010 6:51 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Its for Vericept, and they need to read the logs in realtime to
correlate what is seen on the network with a user. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Cameron [mailto:cameron.orl...@gmail.com] 
Sent: Thursday, October 28, 2010 9:32 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Could you not just setup a job to copy the security.evtx file to
somewhere else and let them access that?



 

On Thu, Oct 28, 2010 at 2:48 AM, James Rankin 
wrote:

Can you control this by NTFS access to the .evt file itself?

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.c

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ken Schaefer]

Presumably this product has an agent or uses WinRM or something to read/pull in 
the logs in real time, back to a central location for correlation. The service 
account that's being used requires permission to read the logs.

Cheers
Ken

From: Free, Bob [mailto:r...@pge.com]
Sent: Friday, 29 October 2010 3:06 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain 
Controller Eventlogs

If your environment is that big how can they look at multiple DCs in real time 
and correlate them?

Maybe I don't understand your requirements but it seems like you want to ship 
the logs real-time to a SIEM or log management tool managed by the security 
team or MSSP, that is a far better way to do it than to grant access to the 
logs directly.

From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Thursday, October 28, 2010 6:51 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain 
Controller Eventlogs

Its for Vericept, and they need to read the logs in realtime to correlate what 
is seen on the network with a user.

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org
Cell:401-639-3505

From: Cameron [mailto:cameron.orl...@gmail.com]
Sent: Thursday, October 28, 2010 9:32 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain 
Controller Eventlogs

Could you not just setup a job to copy the security.evtx file to somewhere else 
and let them access that?



On Thu, Oct 28, 2010 at 2:48 AM, James Rankin 
mailto:kz2...@googlemail.com>> wrote:
Can you control this by NTFS access to the .evt file itself?
On 27 October 2010 16:31, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Running a Windows 2008 R2 DFL/FFL domain, security team needs a service account 
to have read only access to the Security Eventlog accordingly. Is there a way 
via the Default Domain Controllers Policy to Grant this, or maybe a users right 
in Windows 2008 R2 accordingly?

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Free, Bob]

If your environment is that big how can they look at multiple DCs in
real time and correlate them? 

 

Maybe I don't understand your requirements but it seems like you want to
ship the logs real-time to a SIEM or log management tool managed by the
security team or MSSP, that is a far better way to do it than to grant
access to the logs directly. 

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Thursday, October 28, 2010 6:51 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

Its for Vericept, and they need to read the logs in realtime to
correlate what is seen on the network with a user. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Cameron [mailto:cameron.orl...@gmail.com] 
Sent: Thursday, October 28, 2010 9:32 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Could you not just setup a job to copy the security.evtx file to
somewhere else and let them access that?



 

On Thu, Oct 28, 2010 at 2:48 AM, James Rankin 
wrote:

Can you control this by NTFS access to the .evt file itself?



On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

Cool appreciate it. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Thursday, October 28, 2010 10:19 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I had to do this a year or so ago.  It's not really too hard.  There is
a tool that I used to determine what the appropriate SDDL strings were.
If I can dig it up today, I'll pass it on.


 

ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker>  
Exploiting Technology for Business Advantage...
 





On Thu, Oct 28, 2010 at 8:47 AM, Ziots, Edward 
wrote:

Yeah I saw that article, problem is one screw up and you could waste the
eventlogs on all the DC's and the DC's are in production, I rather not
have to play around trying to calculate the codes for SDDL and stuff.
With as many DC's as I have Id have to update the .INF file, register
it, on all the DC's and Id have to do this in a test environment first
to verify it works before doing change management in production. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:27 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Maybe this? http://support.microsoft.com/kb/323076 

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[Andrew S. Baker]

You're not going to have access to copy the eventlogs from a scripting
standpoint -- not while the system is running, anyway.


*ASB *(My XeeSM Profile) 
*Exploiting Technology for Business Advantage...*
* *



On Thu, Oct 28, 2010 at 9:32 AM, Cameron  wrote:

> Could you not just setup a job to copy the security.evtx file to somewhere
> else and let them access that?
>
>
>
> On Thu, Oct 28, 2010 at 2:48 AM, James Rankin wrote:
>
>> Can you control this by NTFS access to the .evt file itself?
>>
>>
>>
>> On 27 October 2010 16:31, Ziots, Edward  wrote:
>>
>>>  Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
>>> account to have read only access to the Security Eventlog accordingly. Is
>>> there a way via the Default Domain Controllers Policy to Grant this, or
>>> maybe a users right in Windows 2008 R2 accordingly?
>>>
>>>
>>>
>>> Z
>>>
>>>
>>>
>>> Edward E. Ziots
>>>
>>>
>>>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[Andrew S. Baker]

I had to do this a year or so ago.  It's not really too hard.  There is a
tool that I used to determine what the appropriate SDDL strings were.  If I
can dig it up today, I'll pass it on.


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *



On Thu, Oct 28, 2010 at 8:47 AM, Ziots, Edward  wrote:

>  Yeah I saw that article, problem is one screw up and you could waste the
> eventlogs on all the DC’s and the DC’s are in production, I rather not have
> to play around trying to calculate the codes for SDDL and stuff.  With as
> many DC’s as I have Id have to update the .INF file, register it, on all the
> DC’s and Id have to do this in a test environment first to verify it works
> before doing change management in production.
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 28, 2010 8:27 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Question on Granting service account read access to Domain
> Controller Eventlogs
>
>
>
> Maybe this? http://support.microsoft.com/kb/323076
>
> On 27 October 2010 16:31, Ziots, Edward  wrote:
>
> Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
> account to have read only access to the Security Eventlog accordingly. Is
> there a way via the Default Domain Controllers Policy to Grant this, or
> maybe a users right in Windows 2008 R2 accordingly?
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

Its for Vericept, and they need to read the logs in realtime to
correlate what is seen on the network with a user. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Cameron [mailto:cameron.orl...@gmail.com] 
Sent: Thursday, October 28, 2010 9:32 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Could you not just setup a job to copy the security.evtx file to
somewhere else and let them access that?



 

On Thu, Oct 28, 2010 at 2:48 AM, James Rankin 
wrote:

Can you control this by NTFS access to the .evt file itself?




On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[Cameron]

Could you not just setup a job to copy the security.evtx file to somewhere
else and let them access that?



On Thu, Oct 28, 2010 at 2:48 AM, James Rankin  wrote:

> Can you control this by NTFS access to the .evt file itself?
>
>
>
> On 27 October 2010 16:31, Ziots, Edward  wrote:
>
>>  Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
>> account to have read only access to the Security Eventlog accordingly. Is
>> there a way via the Default Domain Controllers Policy to Grant this, or
>> maybe a users right in Windows 2008 R2 accordingly?
>>
>>
>>
>> Z
>>
>>
>>
>> Edward E. Ziots
>>
>> CISSP, Network +, Security +
>>
>> Network Engineer
>>
>> Lifespan Organization
>>
>> Email:ezi...@lifespan.org 
>>
>> Cell:401-639-3505
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

Yep, dully noted, but again with workload, and not that much familiarity
with the SDDL and the GPO set, I will go with user rights/Eventlog
Reader group and call it a day.  

 

Sometimes hate not knowing GPO's and stuff better, would help out on the
workload. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Thursday, October 28, 2010 9:16 AM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain
Controller Eventlogs

 

That option enables the user to manage the logs - including clearing
events. If read access only is required, then using the "log access" GPO
setting is preferable.

 

Cheers

Ken

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, 28 October 2010 9:09 PM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I would have thought that user right should do it, to be fair

On 28 October 2010 13:55, Ziots, Edward  wrote:

Yep, DC access is strictly limited, especially with the new Win2k8R2
Domain. 

 

If Manage Audit and Security Logs user right along with EventLog Readers
group access doesn't cut it for them, then ohh well. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:51 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I take it giving the service account admin access to the DCs is a big
no-no as well :-) or, I suppose, rather defeats the object

On 28 October 2010 13:47, Ziots, Edward  wrote:

Yeah I saw that article, problem is one screw up and you could waste the
eventlogs on all the DC's and the DC's are in production, I rather not
have to play around trying to calculate the codes for SDDL and stuff.
With as many DC's as I have Id have to update the .INF file, register
it, on all the DC's and Id have to do this in a test environment first
to verify it works before doing change management in production. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:27 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Maybe this? http://support.microsoft.com/kb/323076 

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ken Schaefer]

That option enables the user to manage the logs - including clearing events. If 
read access only is required, then using the "log access" GPO setting is 
preferable.

Cheers
Ken

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Thursday, 28 October 2010 9:09 PM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain 
Controller Eventlogs

I would have thought that user right should do it, to be fair
On 28 October 2010 13:55, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Yep, DC access is strictly limited, especially with the new Win2k8R2 Domain.

If Manage Audit and Security Logs user right along with EventLog Readers group 
access doesn't cut it for them, then ohh well.

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505

From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>]
Sent: Thursday, October 28, 2010 8:51 AM

To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain 
Controller Eventlogs

I take it giving the service account admin access to the DCs is a big no-no as 
well :-) or, I suppose, rather defeats the object
On 28 October 2010 13:47, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Yeah I saw that article, problem is one screw up and you could waste the 
eventlogs on all the DC's and the DC's are in production, I rather not have to 
play around trying to calculate the codes for SDDL and stuff.  With as many 
DC's as I have Id have to update the .INF file, register it, on all the DC's 
and Id have to do this in a test environment first to verify it works before 
doing change management in production.

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505

From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>]
Sent: Thursday, October 28, 2010 8:27 AM

To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain 
Controller Eventlogs

Maybe this? http://support.microsoft.com/kb/323076
On 27 October 2010 16:31, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Running a Windows 2008 R2 DFL/FFL domain, security team needs a service account 
to have read only access to the Security Eventlog accordingly. Is there a way 
via the Default Domain Controllers Policy to Grant this, or maybe a users right 
in Windows 2008 R2 accordingly?

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resour

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

It should, but it gives a bit more access than is needed ( it also
allows you to clear the logs)

 

Checking in Miansi Windows 2008 R2 book and Moskowitz GPO book to see if
I can find anymore nuggets of knowledge on this. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 9:09 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I would have thought that user right should do it, to be fair

On 28 October 2010 13:55, Ziots, Edward  wrote:

Yep, DC access is strictly limited, especially with the new Win2k8R2
Domain. 

 

If Manage Audit and Security Logs user right along with EventLog Readers
group access doesn't cut it for them, then ohh well. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:51 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I take it giving the service account admin access to the DCs is a big
no-no as well :-) or, I suppose, rather defeats the object

On 28 October 2010 13:47, Ziots, Edward  wrote:

Yeah I saw that article, problem is one screw up and you could waste the
eventlogs on all the DC's and the DC's are in production, I rather not
have to play around trying to calculate the codes for SDDL and stuff.
With as many DC's as I have Id have to update the .INF file, register
it, on all the DC's and Id have to do this in a test environment first
to verify it works before doing change management in production. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:27 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Maybe this? http://support.microsoft.com/kb/323076 

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forum

Re: Question on Granting service account read access to Domain Controller Eventlogs

[James Rankin]

I would have thought that user right should do it, to be fair

On 28 October 2010 13:55, Ziots, Edward  wrote:

>  Yep, DC access is strictly limited, especially with the new Win2k8R2
> Domain.
>
>
>
> If Manage Audit and Security Logs user right along with EventLog Readers
> group access doesn’t cut it for them, then ohh well.
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 28, 2010 8:51 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Question on Granting service account read access to Domain
> Controller Eventlogs
>
>
>
> I take it giving the service account admin access to the DCs is a big no-no
> as well :-) or, I suppose, rather defeats the object
>
> On 28 October 2010 13:47, Ziots, Edward  wrote:
>
> Yeah I saw that article, problem is one screw up and you could waste the
> eventlogs on all the DC’s and the DC’s are in production, I rather not have
> to play around trying to calculate the codes for SDDL and stuff.  With as
> many DC’s as I have Id have to update the .INF file, register it, on all the
> DC’s and Id have to do this in a test environment first to verify it works
> before doing change management in production.
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 28, 2010 8:27 AM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Question on Granting service account read access to Domain
> Controller Eventlogs
>
>
>
> Maybe this? http://support.microsoft.com/kb/323076
>
> On 27 October 2010 16:31, Ziots, Edward  wrote:
>
> Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
> account to have read only access to the Security Eventlog accordingly. Is
> there a way via the Default Domain Controllers Policy to Grant this, or
> maybe a users right in Windows 2008 R2 accordingly?
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.c

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ken Schaefer]

You can set the SDDL using a GPO: 
http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx

And testing something before implementing it is what IT admins do. You'd have 
to test and implement this first in your Dev/Test/UAT environments anyway.

Link above also has info on SDDL.

Cheers
Ken

From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Thursday, 28 October 2010 8:48 PM
To: NT System Admin Issues
Subject: RE: Question on Granting service account read access to Domain 
Controller Eventlogs

Yeah I saw that article, problem is one screw up and you could waste the 
eventlogs on all the DC's and the DC's are in production, I rather not have to 
play around trying to calculate the codes for SDDL and stuff.  With as many 
DC's as I have Id have to update the .INF file, register it, on all the DC's 
and Id have to do this in a test environment first to verify it works before 
doing change management in production.

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org
Cell:401-639-3505

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Thursday, October 28, 2010 8:27 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain 
Controller Eventlogs

Maybe this? http://support.microsoft.com/kb/323076
On 27 October 2010 16:31, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Running a Windows 2008 R2 DFL/FFL domain, security team needs a service account 
to have read only access to the Security Eventlog accordingly. Is there a way 
via the Default Domain Controllers Policy to Grant this, or maybe a users right 
in Windows 2008 R2 accordingly?

Z



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

Yep, DC access is strictly limited, especially with the new Win2k8R2
Domain. 

 

If Manage Audit and Security Logs user right along with EventLog Readers
group access doesn't cut it for them, then ohh well. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:51 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I take it giving the service account admin access to the DCs is a big
no-no as well :-) or, I suppose, rather defeats the object

On 28 October 2010 13:47, Ziots, Edward  wrote:

Yeah I saw that article, problem is one screw up and you could waste the
eventlogs on all the DC's and the DC's are in production, I rather not
have to play around trying to calculate the codes for SDDL and stuff.
With as many DC's as I have Id have to update the .INF file, register
it, on all the DC's and Id have to do this in a test environment first
to verify it works before doing change management in production. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:27 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Maybe this? http://support.microsoft.com/kb/323076 

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[James Rankin]

I take it giving the service account admin access to the DCs is a big no-no
as well :-) or, I suppose, rather defeats the object

On 28 October 2010 13:47, Ziots, Edward  wrote:

>  Yeah I saw that article, problem is one screw up and you could waste the
> eventlogs on all the DC’s and the DC’s are in production, I rather not have
> to play around trying to calculate the codes for SDDL and stuff.  With as
> many DC’s as I have Id have to update the .INF file, register it, on all the
> DC’s and Id have to do this in a test environment first to verify it works
> before doing change management in production.
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 28, 2010 8:27 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Question on Granting service account read access to Domain
> Controller Eventlogs
>
>
>
> Maybe this? http://support.microsoft.com/kb/323076
>
> On 27 October 2010 16:31, Ziots, Edward  wrote:
>
> Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
> account to have read only access to the Security Eventlog accordingly. Is
> there a way via the Default Domain Controllers Policy to Grant this, or
> maybe a users right in Windows 2008 R2 accordingly?
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

Yeah I saw that article, problem is one screw up and you could waste the
eventlogs on all the DC's and the DC's are in production, I rather not
have to play around trying to calculate the codes for SDDL and stuff.
With as many DC's as I have Id have to update the .INF file, register
it, on all the DC's and Id have to do this in a test environment first
to verify it works before doing change management in production. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:27 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Maybe this? http://support.microsoft.com/kb/323076 

On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[James Rankin]

Maybe this? http://support.microsoft.com/kb/323076

On 27 October 2010 16:31, Ziots, Edward  wrote:

>  Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
> account to have read only access to the Security Eventlog accordingly. Is
> there a way via the Default Domain Controllers Policy to Grant this, or
> maybe a users right in Windows 2008 R2 accordingly?
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Question on Granting service account read access to Domain Controller Eventlogs

[Ziots, Edward]

I don't believe so, since a service basically has the .EXTX files open
by default. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 2:49 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Can you control this by NTFS access to the .evt file itself?




On 27 October 2010 16:31, Ziots, Edward  wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Question on Granting service account read access to Domain Controller Eventlogs

[James Rankin]

Can you control this by NTFS access to the .evt file itself?



On 27 October 2010 16:31, Ziots, Edward  wrote:

>  Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
> account to have read only access to the Security Eventlog accordingly. Is
> there a way via the Default Domain Controllers Policy to Grant this, or
> maybe a users right in Windows 2008 R2 accordingly?
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin