No announcement yet.

Opinions Please - Use of Least Privilege Concept

  • Filter
  • Time
  • Show
Clear All
new posts

  • Opinions Please - Use of Least Privilege Concept

    I have been working on evaluating Event Log Management solutions and have run across a number of products that require a Domain Admins account to run for collecting logs from Windows Servers.

    Am I a bit out in left field to think that a service account shouldn't be running with these kind of credentials? One product allowed the possibility of using alternate credentials so that I could use a Domain account that had been made part of the admin group on only the servers I was monitoring and use a Domain admins to collect from the DC. Another product allowed the same Domain account to collect from regular servers then the use of an agent on the DC to push event logs from the DC to the Event Log server.

    I am little surprised at the seemingly cavalier use of the Domain Admins account for merely event log collection.

    Which leads me to another thought - I haven't browsed much of Server 2008 but is there a way to provide role based access to only read the event logs, particularly the Security Log. I know I can construct a GPO with registry settings and SDDL's in 2003 but it certainly would be nicer if the ability was pre-configured.

  • #2
    Re: Opinions Please - Use of Least Privilege Concept

    For a DC to read the security log you have to be a Domain Admin. We use AdventNet EventLog Analyzer and it runs as our Domain Admin.

    I don't like that requirement either.


    • #3
      Re: Opinions Please - Use of Least Privilege Concept

      That was one of the programs I evaluated as well. There seem to be 2 ways to accomodate this situation 1) Create registry entries and apply through a GPO and writing custome SDDL entry - yech or 2) Adding a service group to the Manage Audit and Security Log which allows that user to read the Security Log - the primary stumbling block to event log collection...

      So I will probably go with adding that User Right to a Service Group and see how that works... at least that way if the service does get compromised then I know the credentials can't do much more than delete the logs - which records an event about it anyways....

      Thanks for your reply.