How can I securely log all actions from Windows administrators, so that the log cannot be accessible to them?
If you have the resources, recommended practice dictates that your systems log traffic both locally and to a remote log server, preferably a dedicated system whose only responsibility is to collect logs from other systems. If you wish to review your administrators' activities and ensure they have not tampered with the log files, you can deny them physical and network access to the remote log server. This approach not only provides redundancy but an extra layer of security, for you can compare the two sets of logs against one another. Any differences potentially indicate suspicious activity. In addition, a dedicated log server that collects logs from other systems allows cross checking of log files. For example, one line in a log file on a single server may not be suspicious, but the same entry on five servers across an organization within a minute of each other, may be a sign of a major problem. To copy the log files to another location, you can use a tool like EventReporter. EventReporter processes the Event Logs, parses them and forwards the results via the Syslog protocol to a central server. You can learn more about the Syslog protocol at http://www.eventreporter.com. If you really must prevent your administrators from accessing your log files, only log onto a secured remote log server.
If you do not have the resources for a dedicated log server consider using NTFS file encryption as a way of preventing certain Windows administrators from viewing the log files. First, you will need to create a new user account, give it permission to "log on as a service," and set the Eventlog service to log on using this account. Next, log on using this account and set the log file directory to point to an NTFS formatted drive. Set the permissions so that only the new account can read or write to the drive. Then set the Advanced Properties to encrypt the content of the drive. You should back up the account's private key, for it will be needed to recover the encrypted log data in case a problem occurs. When you want to view the log files you'll need to log on to the computer using this account.
Your administrators will have permission to allow them to change the access permissions of the log files but at least they will be encrypted. To prevent them from decrypting the files you will also need to ensure that they are not designated as a Disaster Recovery Agent, which is the Windows 2000 Administrator account.
This approach is rather awkward and I would prefer to tackle this problem by reviewing why you need to prevent your administrators from accessing the log files. Are you suspicious that some of your administrators are untrustworthy? If this is the case you need to involve HR and look at restricting their system permissions to the bare minimum that allows them to perform their assigned tasks. Remember that no one person should have permission to do everything on a networked system.
This was first published in August 2005