The Security permission must be granted to view the Security event log

Security permission must be granted to view the Security event log.

Microsoft Windows NT 4.0 Service Pack 4 (SP4) includes a bug fix in the Event Log service that requires the SE_SECURITY_NAME permission, also know as the Security permission, to be enabled in order to view and manage the Security event log. By default, Windows NT grants the permission to Administrators and local System.

This article updates information found in the following Microsoft Knowledge Base article: In versions of Windows NT earlier than Windows NT 4.0 SP4, Administrator and services running as Local System could read or change the Security event log without the Security permission. If the Security permission was removed from the Administrators group, Administrators could still view and manage the Security event log.

In Windows NT 4.0 SP4 and later versions, Administrators cannot manage the Security event log without the Security permission. However, Administrators can grant themselves the Security permission. (This event can be audited.)

In Windows NT 4.0 SP4 and later versions, independent software vendors (ISVs) that provide programs to manage the Security event log must enable the Security permission constant, SE_SECURITY_NAME, in their program. This Security permission is required to view and manage the Security event log.

A sample program on how to enable permissions in Windows NT is available in the Platform SDK under the following topic: Windows Base Services; Security; Access Control; Using Access Control; Enabling and Disabling Privileges. Refer to the SDK for documentation on interfaces: LookupPrivilegeValue and AdjustTokenPrivileges for more information.

Background

Windows NT permissions are granted to users or groups to allow them to manage system resources. Permissions are granted to users or groups in the User Manager under the Security Menu, User Rights option. The permission to manage the security log is identified as "Manage auditing and security log." Having the permission granted is not sufficient for use. Before you can perform the operation defined by the permission, the permission must be enabled in the security access token in order to take effect. The model allows permissions to be enabled only for specific system operations and then disabled when they are no longer needed.