Information
This setting ensures that Windows Event Logs are protected. Windows Event Logs record system and user activity.
The recommended state for this setting is: Eventlog - Full Control, SYSTEM - Full Control, and Administrators - Full Control.
Rationale:
Maintaining an audit trail of system activity can help identify system issues such as, configuration errors and troubleshoot service disruptions. They are also a valuable tool in the detection of system and user compromises, as well as cyberattacks.
Leaving the Event Logs unprotected can lead to tampering if proper permissions are not applied.
Impact:
Only system administrators will be able to view Event Logs. Standard users will be denied access.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Navigate to the following directory and ensure permissions are set as follows: Eventlog - Full Control, SYSTEM - Full Control, and Administrators - Full Control.
%drive%\Windows\System32\winevt
Note: If Windows Event Logs have been moved to another location, navigate to that folder and ensure the permissions are set as prescribed.
To change permissions on the winevt folder perform the following:
Navigate to the winevt folder
Right Click
Navigate to Properties
Click the Security Tab
Click Edit
Remove all users and groups that are not described above.
Click OK
OR
To establish the recommended configuration via GP, set the following UI path:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Logging\Enable Protected Event Logging
For more information about Protected Event Logging, visit: About Logging Windows - PowerShell | Microsoft Docs.
Default Value:
Eventlog - Full Control; SYSTEM - Full Control; Administrators - Full Control; Users - Read & Execute, List Folder Contents, and Read