Windows NT 4.0 with Service Pack 3, no hotfixes
A bug has been identified with the control of user rights when clearing the security event log.
If a user has been given the right "Manage auditing and security log", they can clear the Security Event Log without the action logging the Event 517: Audit log has been cleared.
This problem does not occur with administrators (whether they have the right or not). I have tested the fix outlined in kb article q142615 to see if this resolves the problem, however the event is still not logged.
The user logs onto the master domain on a workstation which is a member of the master domain. The user account is a member of Domain Users and Server Operators with the user right "Manage auditing and security log". The user opens the Event Viewer to the Security Log and selects to Clear. The server is Windows NT 4.0 (SP3, no hotfixes) and the workstation is Windows NT 4.0
(SP3, no hotfixes).
To learn more about new NT security concerns, subscribe to NTSD.Credit:
Reported by: Elvio Serrao ([email protected])
Posted here at NTSecurity.Net