Q: What is the role of the User Access Logging service that Microsoft includes in Windows Server 2012? Is this a security-related service and/or does it create any security-related implications I must be aware of?
A: The User Access Logging (UAL) service is a new service that is enabled by default starting with Windows Server 2012. The service can collect client usage data by server roles (for example: Certificate Services, RMS, Hyper-V, IIS…) and by the software products installed on a Windows server. These log data can then be used by IT administrators to find the exact usage of a service or application by a user, by a specific user device, or by date. To retrieve the UAL log data an administrator can use Windows Management Instrumentation (WMI) or PowerShell (PS) cmdlets. UAL stores its log data in a set of local database files in the %systemdrive%\Windows\System32\Logfiles\SUM\ folder.
Administrators that are worried about the amount of data that UAL logs on heavily used servers, admins that have privacy concerns about the data UAL collects, or admins that simply don’t plan to use the UAL log data at all, can disable this service.
You can stop and disable the service from the Services console. To do so, you must open Server Manager, point to Tools, and click on Services. Then search for the “User Access Logging” service entry, and click “Stop this service”. Disabling the service can be done from the General tab in the service properties that you can access by right-clicking the service.
You can do the same from the command line using a set of PS cmdlets. To stop the UAL service using PS you must use the stop-service cmdlet as follows:
Stop-service ualsvc
To disable the UAL service just type the following at the PS prompt:
Disable-ual
Check the following Microsoft article for more information on how to retrieve UAL data: https://technet.microsoft.com/en-us/library/jj574126.aspx.