Event Viewer Log Review
March 5, 2010It is important to frequently check the XP / Vista and Server Event Viewer to review log files for possible security concerns. It is optimal to log a minimum of seven days of activity in the application, system, and security logs. In order to maintain the information for seven days, users need to increase the size of the log files. You can access the Event Viewer by:
Going to Start ->Control Panel->Administrative Tools->Event Viewer
(for Classic View: Start ->Settings->Control Panel->Administrative Tools->Event Viewer)
| User Right |
Domain Controller |
Standalone/ Member Server |
Professional |
| Access this computer from the network |
Domain Users |
Domain Users |
Remove Everyone |
| Act as part of the operating system |
None |
None |
None |
| Add workstations to domain |
Administrators |
None |
None |
| Adjust memory quotas for a process |
Administrators |
Administrators |
Administrators |
| Allow login through Terminal Services |
None |
None |
None |
| Back up files and directories |
Backup Operators, Administrators |
Backup Operators, Administrators |
Backup Operators, Administrators |
| Bypass traverse checking |
Administrators, Server Operators, and Backup Operators |
Administrators, Server Operators, and Backup Operators |
Administrators |
| Change the system time |
Administrators |
Administrators |
Administrators and Power Users |
| Create a pagefile |
Domain Admins |
Administrators |
Administrators |
| Create a token object |
None |
None |
None |
| Create permanent share objects |
None |
None |
None |
| Debug programs |
None (except in off- internet development) |
None (except in off- internet development) |
None (except in off-internet development) |
| Deny access to this computer from the network |
None |
None |
None |
| Deny logon as a batch j |
None |
None |
None |
| Deny logon as a service |
None |
None |
None |
| Deny logon locally |
None |
None |
None |
| Deny logon through Terminal Services |
None |
None |
None |
| Enable computer and user accounts to be trusted for delegation |
Use this right only if testing reveals it is necessary. |
Use this right only if test in reveals it is necessary. |
Use this right only if testing reveals it is necessary. |
| Force shutdown from a remote system |
Administrators |
Administrators |
None |
| User Right |
Doma in Controller |
Standalone/ Member Server |
Professional |
| Generate security audit |
None |
None |
None |
| Increase scheduling priority |
Administrators |
Administrators |
Administrators |
| Load and unload device drivers |
Administrators |
Administrators |
Administrators |
| Lock pages in memory |
None |
None |
None |
| Log on as a batch job |
None |
None |
None |
| Log on as a service |
Replicators |
None |
None |
| Log on locally |
Administrators, Server Operators, and Backup Operators |
Administrators, Server Operators, and Backup Operators |
Administrators and Authenticated Users |
| Manage auditing and security log |
Administrators |
Administrators |
Administrators |
| Modify firmware environment values |
Administrators, Server Operators, and Backup Operators |
Administrators |
Administrators |
| Perform volume maintenance tasks |
Administrators |
Administrators |
Administrators |
| Profile single process |
None |
None |
None |
| Profile system performance *** |
None |
None |
None |
| Remove computer from docking station |
None |
None |
None |
| Replace a process level token |
None |
None |
None |
| Restore files and directories |
Backup Operators, Administrators |
Backup Operators, Administrators |
Backup Operators, Administrators |
| Shut down the system |
Administrators and Server Operators |
Administrators and Server Operators |
Administrators and Authenticated Users |
| Synchronize directory service data |
None |
None |
None |
| Take ownership of files or other objects |
Administrators |
Administrators |
Administrators |
Service specific accounts can be granted User Rights that are necessary to perform specific user functions.
| Local Security Policy |
Recommended Settings |
| Accounts: Administrator account status |
Enabled |
| Accounts: Guest account status |
Enabled |
| Accounts: Limit local account use of blank passwords to console logon only |
Enabled |
| Accounts: Rename administrator account |
<configure locally> |
| Accounts: Rename guest account |
<configure locally> |
| Audit: Audit the access of global system objects |
Disabled |
| Audit: Audit the use of Backup and Restore privileges |
|
| Audit: Shut down system immediately if unable to log security audits |
Disabled |
| Devices: Allow undock without having to log on |
Enabled |
| Devices: Allows to format and eject removable media |
Administrators |
| Devices: Prevent users from installing printer drivers |
Disabled |
| Devices: Restrict CD-ROM access to locally logged-on user only |
Disabled |
| Devices: Restrict floppy access to locally logged-on user only |
Disabled |
| Devices: Unsigned driver installation behavior |
Warn but allow installation |
| Domain controller: Allow server operators to schedule tasks |
Not defined |
| Domain controller: LDAP server signing requirements |
Not defined |
| Domain controller: Refuse machine account password changes |
Not defined |
| Domain member: Digitally encrypt or sign secure channel data (always) |
Enabled |
| Domain member: Digitally encrypt secure channel data (when possible) |
Enabled |
| Domain member: Digitally sign secure channel data (when possible) |
Enabled |
| Domain member: Disable machine account password changes |
Disabled |
| Domain member: Maximum machine account password age |
30 days |
| Local Security Policy |
Recommended Settings |
| Domain member: Require strong (Windows 200x or later) session |
Disabled |
| Interactive logon: Do not display last user name |
Disabled |
| Interactive logon: Do not require CTRL+ALT+DEL |
Not defined |
| Interactive logon: Message text for users attempting to log on |
* * * * * * * W A R N I NG Some message…. |
| Interactive logon: Message title for users attempting to log on |
Warning: This is a monitored computer system! |
| Interactive logon: Number of previous logons to cache (in case domain controller is not available |
0 logons |
| Interactive logon: Prompt user to change password before expiration |
14 days |
| Interactive logon: Require Domain Controller authentication to unlock workstation |
Disabled |
| Interactive logon: Smart card removal behavior |
No Action |
| Microsoft network client: Digitally sign communications (Always) |
Disabled |
| Microsoft network client: Digitally sign communications (if server agrees) |
Enabled |
| Microsoft network client: Send unencrypted password to third-party SMB servers |
Disabled |
| Microsoft network server: Amount of idle time require before suspending session |
15 minutes |
| Microsoft network server: Digitally sign communications (always) |
Disabled |
| Microsoft network server: Digitally sign communication (if client agrees) |
Disabled |
| Microsoft network server: Disconnect clients when logon hours expire |
Enabled |
| Network access: allow anonymous SID/Name translation |
Disabled |
| Network access: Do not allow anonymous enumeration of SAM account |
Enabled |
| Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Disabled |
| Network access: Do not allow storage of credentials or .NET Passports for network authentication |
Disabled |
| Network access: Let Everyone permissions apply to anonymous users |
Disabled |
| Network access: Named pipes that can be accessed anonymously |
COMNAP COMNODE SQLQUERY SPOOLSS LLSRPC EPMAPPER LOCATOR TrkWks TrkSvr |
| Local Security Policy |
Recommended Settings |
| Network access: Remotely accessible registry paths |
SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applicati SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration |
| Network access: Shares that can be accessed anonymously |
COMCFG DFS$ |
| Network access: Sharing and security model for local accounts |
Guest only – local users authenticate as Guest |
| Network security: Do not store LAN Manager has values on next password change |
Disabled |
| Network security: Force logoff when logon hours expire |
Disabled |
| Network security: LAN Manager authentication level |
Send LM & NTLM responses |
| Network security: LDAP client signing requirements |
Negotiate signing |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
No minimum |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
No minimum |
| Recovery console: Allow automatic administrative logon |
Disabled |
| Recovery console: Allow floppy copy and access to all drives and all folders |
Disabled |
| Local Security Policy |
Recommended Settings |
| Shutdown: Allow system to be shut down without having to log on |
Enabled |
| Shutdown: Clear virtual memory pagefile |
Disabled |
| System cryptography: Use FIPS complaint algorithms for encryption, hashing, and signing |
Disabled |
| System objects: Default owner for objects created by members of the Administrators group |
Object Creator |
| System objects: Require case insensitivity for non-Windows |
Enabled |
| System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
Enabled |