DOCUMENT:Q188855 09-AUG-2001 [winnt] TITLE :Security Privilege Must be Enabled to View Security Event Log PRODUCT :Microsoft Windows NT PROD/VER:WinNT:4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 SP4 - Microsoft Windows NT Server version 4.0 SP4 - Microsoft Windows NT Server, Enterprise Edition version 4.0 SP4 ------------------------------------------------------------------------------- SUMMARY ======= Security Privilege Must be Enabled to View Security Event Log MORE INFORMATION ================ Windows NT 4.0 Service Pack 4 includes a bug fix in the Event Log service that requires SE_SECURITY_NAME privilege, also know as the Security privilege, to be enabled in order to view and manage the security event log. By default, Windows NT grants the privilege to Administrators and local System. However, the privilege must also be enabled in the program accessing the security event log in order to take effect. This article updates information found in the following Microsoft Knowledge Base article: ARTICLE-ID: Q129126 TITLE : New Access Privileges for Event Log, Audit Log and Registry Prior to this change, members of the Administrators group and services running as local System could open the security log for read or change access without enabling the Security privilege. If the privilege was removed from the Administrators group, members of the Administrators group could still manage the security log. This change enforces the security model that if Administrators do not have the privilege granted to manage the security log, they will not be able to manage log simply because they are members of the Administrators group. However, Administrators can always grant themselves the Security privilege to manage the security log, although this event can be audited. ISVs that provide programs to manage the security event log must enable the privilege constant, SE_SECURITY_NAME, in their program. This privilege is required to view and manage security event log information. A sample program on how to enable privileges in Windows NT is available in the Platform SDK under the following topic: Windows Base Services; Security; Access Control; Using Access Control; Enabling and Disabling Privileges. Refer to the SDK for documentation on interfaces: LookupPrivilegeValue and AdjustTokenPrivileges for more information. Background: Windows NT privileges are granted to users or groups to allow them to manage system resources. Privileges are granted to users or groups in the User Manager under the Security Menu, User Rights option. The privilege to manage the security log is identified as "Manage auditing and security log". Having the privilege granted is not sufficient for use. Before you can perform the operation defined by the privilege, the privilege must be enabled in the security access token in order to take effect. The model allows privileges to be enabled only for specific system operations and then disabled when they are no longer needed. Additional query words: sp4 ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400search kbWinNT400search kbWinNTW400sp4 kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400sp4 kbWinNTS400sp4 kbWinNTS400search Version : WinNT:4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.