Security permission must be granted to view the Security event log.
Microsoft Windows NT 4.0 Service Pack 4 (SP4) includes a bug fix in the Event Log servicethat requires the SE_SECURITY_NAME permission, also know as the Securitypermission, to be enabled in order to view and manage the Security eventlog. By default, Windows NT grants the permission to Administrators andlocal System.
This article updates information found in the following Microsoft KnowledgeBase article:
New access privileges for event log, audit log, and registry
In versions of Windows NT earlier than Windows NT 4.0 SP4, Administrator and services running as Local System could read or change the Security event log without the Security permission. If the Security permission was removed from the Administrators group, Administrators could still view and manage the Security event log.
In Windows NT 4.0 SP4 and later versions, Administrators cannot manage the Security event log without the Security permission. However, Administrators can grant themselves the Security permission. (This event can be audited.)
In Windows NT 4.0 SP4 and later versions, independent software vendors (ISVs) that provide programs to manage the Security event log must enable the Security permission constant, SE_SECURITY_NAME, in their program. This Security permission is required to view and manage the Security event log.
A sample program on how to enable permissions in Windows NT is available inthe Platform SDK under the following topic: Windows Base Services;Security; Access Control; Using Access Control; Enabling and DisablingPrivileges. Refer to the SDK for documentation on interfaces:LookupPrivilegeValue and AdjustTokenPrivileges for more information.
Windows NT permissions are granted to users or groups to allow them tomanage system resources. Permissions are granted to users or groups in theUser Manager under the Security Menu, User Rights option. The permission tomanage the security log is identified as "Manage auditing and securitylog." Having the permission granted is not sufficient for use. Before youcan perform the operation defined by the permission, the permission must beenabled in the security access token in order to take effect. The modelallows permissions to be enabled only for specific system operations andthen disabled when they are no longer needed.