So, was (semi)recently tasked with getting rid of service accounts out of our Domain Administrators group because, as you know, service accounts in Domain Admins group is BAAAAD! One of the accounts that was there was for our SIEM, to get at Domain Controller security event logs – somewhat important to keep and log and monitor. However, for expediency sake, the service account for this was added to the Domain Admins group…and now we’re trying to get it out of there.
Well…let me tell you, it’s easier said than done!
I should say that this information isn’t new information – it’s pretty standard, but I found it scattered around a few different places, so thought I’d collate what I’d found in one place for others and for future reference for myself!
Please bear in mind that these are the permissions required for the SIEM we use – you might find that what you’re trying to do needs more, or perhaps needs less. Ours is pulling logs across the network – if yours pushes logs or is only accessing them locally, it might be different. Remember, least privilege and all that jazz.
Service Account – so, first things first, create a service account that’s going to have access – name it properly, add a description, all that good stuff. I’ll refer to the service account as (unsurprisingly) <your service account> in this run through.
This only needs to be done once for the domain.
Addition to Domain Groups – add <your service account> account to the following Domain groups:
- Event Log Readers – this one should be pretty obvious, it needs to read the Event Log!
- Distributed COM Users – had to do some research for this one (not ashamed to admit!) to find out why, this is because a number of SIEM’s are pulling information across the network (server not pushing) so the service account will need to be able to grab the Event Log information from the server (someone correct me if I’m wrong on this!)
- Remote Management Users – similar to DCOM Users, service account is going to need to remotely manage the event log, so will need to be in this group in order to do just that
This only needs to be done once for the domain.
Change to Group Policy – there is a slight GPO change that will need to be done:
- You’ll need to modify the GPO you have set up for your Domain Controllers – this *should* be a different policy to the “Default Domain Controller Policy”
- Modify:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment – “Manage auditing and security log” (add <your service account> to this) - This may not be required for all, but it was required for our SIEM
This only needs to be done once for the domain.
WMI Permissions – you will need to modify the following within WMI (this set of instructions is for Windows Server 2012 R2):
- Open ‘Computer Management’
- Expand out ‘Services and Applications’
- Click on ‘WMI Control’
- Right-click and select ‘Properties’
- Select the ‘Security’ tab
- Click on ‘Root’
- Click on ‘Security’ (bottom right corner)
- Click ‘Add…’ and add <your service account>
- Give this account the following rights:
- Execute Methods – may be required, suggest testing without this permission first
- Provider Write – may be required, suggest testing without this permission first
- Enable Account – the bare minimum of what’s required for most products that want your Event Logs (it appears)
- Remote Enable – may be required, suggest testing without this permission first
This needs to be done on every Domain Controller*.
Registry changes – you’ll need to modify the registry in the following ways:
- Modify the permissions on
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security – give <your service account> ‘Read’ permissions - Modify the following registry key:
- HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\CustomSD
- Add the following to the end:
(A;;0x7;;;S-1-5-32-562) - This is adding the Distributed COM Users (S-1-5-32-562) to be able to do magic things to the Security event log
Now, I found that I also had to run the following (maybe I hadn’t done the registry stuff right the first time) but may:
wevtutil sl security /ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x7;;;S-1-5-32-562)
Now, this *should* do the same thing as the modification of the registry…I believe…but it didn’t for me. Both actions were required, as a check of ‘wevtutil gl security’ didn’t show the listing as in the registry key until the ‘wevtuil sl security’ command was run.
This needs to be done on every Domain Controller*.
Service restarts – the following restarts are required, unless you’re planning on restarting the server:
- “Windows Remote Management (WS-Management)” service
- “Windows Event Log” service
This needs to be done on every Domain Controller*.
*Note – For the things that are marked as “every Domain Controller” – this can be scripted and done via GPO’s, but due to the small number of machines involved and our aversion to scripts in GPO’s, we preferred to do this manually.
So that’s it – from what I’ve found, this is what was required for a service account tied to a SIEM to be able to view and pull Security event log data. I would also assume that this would be very similar for other logs (e.g. Application or System), just with some minor modifications.
If you feel I’ve missed something, or feel I’ve done something wrong, let me know. Always open to comments and criticisms!
Make sure when you modify the permissions on HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security that you set the permission for ‘this key and all subkeys’. By default, if you add permissions it will only do it for the root key level. You have to go into ‘advanced’ on the permissions window.
After spending days on this issue, I finally found your post and it solved the issue for my particular need. ChadH’s suggestion also help solve the problem. Thank you for solution.
I can’t find HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\CustomSD … am i missing something – Win2012 R2
Thanks Jess, after a good 8 hours of nosing around the web and trying different approaches you totally solved this puzzle for me!
Such a great post – cheers 🙂
Dave
Have you ever verified these steps for getting access to the System event log on a Domain Controller? Followed your steps for the Security log, but still get Access Denied for the System log.
Be sure remote management is enabled on the server. This is enabled by default on 2012R2 & Up
Add the network Service Account to the Event Log readers group (A;;0x1;;;S-1-5-20)
wevtutil gl security – This is gonna display the SIDs that have access. In some cases you need to add (A;;0x1;;;S-1-5-20) use the command below. This adds access to the network service account.
wevtutil sl security /ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
Run wevtutil gl security again to be sure the network service account was added (cmd prompt rus as admin)
Now add the member-server\workstation where you want the events to forward to
Add-ADGroupMember –identity ‘Event Log Readers’ –member contososrv1$
On the member server open event viewer and go to subscriptions, create a subscription and add your source server.
This could take up to 15 mins for logs to begin pouring in.
If you have any scheduled tasks tied to your logs, such as event 4740 (account lockout) move that task to the member server. Create a standard user in AD. Open local GPO on the member server add the user right assignment to logon as batch. Now use that account to run your task. This way you don’t need domain admin rights to read the logs from the server or trigger a powershell script when the alert is logged.
Thanks for the info! I needed the group name, so you’re awesome!