Q: Is there anything built into Windows that can verify that the Security event log hasn’t been tampered with (i.e., modified, added to, or deleted from)?
A: First, it’s important to understand that tampering with Windows event logs isn’t easy. One can’t open the Windows Security log and directly edit it because the event logging service always has the file opened exclusively. Furthermore, there’s no API in Windows for changing or deleting events in the Security log—only for reporting new events. Basically, one must have either administrator authority or physical access to tamper with the Security log.
That said, you can’t be absolutely sure that the log hasn’t been tampered with. The best you can do is keep a sharp eye out for evidence that the log might have been altered. Look for the following events or occurrences:
-- Event ID 517, which indicates that the audit log was cleared and reports who cleared it.
-- Event ID 512, which logs a system restart. The system (including the Security log) is vulnerable to tampering during a system restart.
-- The Event Log Service inexplicably crashes or you find a file called dummy.dat in C:\windows\system32\config.
These occurrences can indicate that someone with administrative authority executed Win-Zapper, an intrusion tool that can be used to delete event log records. An administrator account is compromised, meaning someone could try to use the compromised account to alter the Security log.
The best way to ensure the integrity of the Security log is to send security events as they occur to another system that’s secured with separate administrator credentials. Many Security log consolidation products include the functionality to ensure the confidentiality and integrity of the Security log as it traverses the network. Windows versions before Windows Vista lack this functionality, but there are many event log management solutions that ensure confidentiality and integrity with or without agents.
