Windows Host Security: Network Security Hacks - Hacks 25 and 26: Secure Your Event Logs, and Change Your Maximum Log Files Sizes
(Page 6 of 8 )
Hack 25: Secure Your Event Logs
Keep your system’s logs from being tampered with.
Windows has some very powerful logging features. Unfortunately, by default the event logs are not protected against unauthorized access or mod ification. You may not realize that even though you have to view the logs through the Event Viewer, the event logs are simply regular files just like any other. To secure them, all we have to do is locate them and apply the proper ACLs.
Unless their location has been changed through the registry, you should be able to find the logs in the %SystemRoot%system32configdirectory.
The three files that correspond to the Application Log, Security Log, and System Log are AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt, respectively.
Now, apply ACLs to limit access to only Administrator accounts. You can do this by bringing up the Properties dialog for the files and clicking the Security tab. After you’ve done this, remove any users or groups other than Administrators and SYSTEM from the top pane.
Hack 26: Change Your Maximum Log File Sizes
Change your log properties so that they see the whole picture.
From a security point of view, logs are one of the most important assets con tained on a server. After all, without logs how will you know if or when someone has gained access to your machine? Therefore, it is imperative that your logs not miss a beat. If you’re trying to track down the source of an inci dent, having missing log entries is not much better than having no logs at all.
One common problem is that the maximum log size is set too low—the default is a measly 512KB. To change this, open the Administrative Tools control panel, and then open the Event Viewer. You should now see some thing similar to Figure 2-3.
After you have done this, select one of the log files from the left pane of the Event Viewer window and right-click it. Now select the Properties menu item. You should now see something similar to Figure 2-4.
Now locate the text input box with the label “Maximum log size”. You can type in the new maximum size directly, or you can use the arrows next to the text box to change the value. Anything above 1MB is good to use here. It all depends on how often you want to review and archive your logs. How ever, keep in mind that having very large log files won’t inherently slow down the machine, but can slow down the Event Viewer when you’re trying to view the logs. While you’re here, you may also want to change the behav ior for when the log file reaches its maximum size. By default, it will start overwriting log entries that are older than seven days with newer log entries. It is recommended that you change this value to something higher—say 31 days. Alternatively, you could elect not to have logs overwritten automati cally at all, in which case you’ll need to clear the log manually.
 | If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Visit the O'Reilly Network http://www.oreillynet.com for more online content. |
Next: Hacks 27 and 28: Disable Default Shares, and Encrypt Your Temp Folder >>
More Windows Security Articles
More By O'Reilly Media
