2

I want to read security audit logs from a network service. By default, Network Service does not have permission to read but it can if the account is added to "Event Log Readers". One of the examples is mentioned here.

However, I want to understand what would be security implications of this. Does it pose a considerable security threat?

Akshat
  • 21
  • 1

1 Answers1

1

The security implication of this would be that if an application which is running under Network Service is compromised, an attacker would be able to read those event logs.

The preferred way to handle this situation is to create a new login with similar permissions to network service, and to give that access to the event logs.

Dan Landberg
  • 3,312
  • 12
  • 17
  • Thanks, I wanted to know if there is any sensitive information in those logs which can be used for further exploitation? Also, the new login you are talking about, can it be created at the installation time programmatically? – Akshat May 08 '18 at 15:34
  • Whether there is sensitive information or not depends on the applications writing to the log and the security requirements of your environment. I cannot answer that question. But yes, you can create the new user programmatically during installation. See this powershell commandlet: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1 – Dan Landberg May 08 '18 at 21:14