When configuring a Windows system for a specific role it is a good practice that you apply the correct security template to hardening the system in a supported manner. By using the Security Configuration Wizard (SCW) you can accomplish this goal. However it is very common for system administrators to customize their security policies according to their business need. You must be aware that system service hardening is not only about disabling services that you don’t need for a specific role, it is also about optimizing the server to perform in a secure manner. If System Administrator tightens the security of a server it is possible that the side effects will be as bad as leaving the system without hardening. A classic example of that is when the system administrator changes the system to operate in a certain way that dependency services will fail to start because another service was disabled.
One particular setting that is often overlooked or changed is the event setting. This article will describe the core event viewer settings for Application, System and Security events and how to configure these options with security in mind.
The event settings are located at Computer Configuration\Administrative Templates\Windows Components\Event Log Service. There you have Application, Security, Setup and System as you can see below:
Within each option (except Setup which will have one more option ) you will also have:
There are two main options among those that should be carefully evaluated before any making any changes, these options are: Maximum Log Size (KB) and Retain old events. To better understand why you should be aware of the security considerations while changing those settings are described below.
By knowing the potential vulnerability that this option can expose you will have a better understanding of the impact that changing this setting can have on your environment. Review the vulnerabiities below per option and per event type:
Event Type: Application and System
Event Type: Security
In order to mitigate those vulnerabilities the following countermeasures are recommended:
Event Type: Application, System and Security
When planning your system hardening strategy make sure to cover all settings that will be affected by those customizations. Always perform these changes in a custom template and use the Security Compliance Manager to compare you own template to the recommended one based on the OS version and server role. Make sure to perform those changes in a lab environment and test it before put in production. By acessing those options and evaluate the security impact that each option will have, you are reducing the potential risk that your hardening will cause negative impact to the server.
Security Configuration Wizard
Microsoft Security Compliance Manager