mailing list archives
A full event log does not send administrative alerts
From: Eitan Caspi <eitancaspi () yahoo com>
Date: 11 Oct 2002 19:34:42 -0000
I would like to report a vulnerability that was reported by me to MS and
now have a remedy.
Unfortunately, MS decided that this problem does not deserve its own
urgent security hot fix and preferred to wait for the latest service packs.
Affected OS: Windows 2000 (server and professional) up to and including
SP2 and Windows XP Professional (no SP, the initial version only)
Remedy: Applying Windows 2000 SP3 or Windows XP SP1 for each OS
If you define that an event log (from any kind, not only security
application and system as well) will not overwrite itself but will stop
logging when it is full (and thus let you save it to the side as a file
and only then clear it) and you also set that this PC will send
administrative alerts (pop-up messages generated using the "Alerter"
and "Messenger" services on the originating PC when certain system events
are triggered locally (like a full event log or lack of disk space) and
accepted on target PC with an active "Messenger" service) This alerts
are never sent when ANY event log type (not only security) is filled up
and thus not logging any more.
Attached links to articles explaining of how to set up administrative
alerts in windows 2000 and XP:
Q243625 - How to Configure Administrative Alerts in Windows 2000
Q310490 - HOW TO: Set Up Administrative Alerts in Windows XP
The problem here, mostly with the security event log is that the log can
be filled (by normal security logging operation by the OS or by a
malicious attacker filling the log with bogus events, just to fill up to
the log to the point it will stop logging) and when the log is full then
any malicious or regular security events are not being logged (and no
administrator is aware of the fact the log should be cleared aside).
This can also be risky for the system event log (I think it is the system
type) if it can't log the fact that a drive is being almost full this
can lead to an OS / Application corrupt up to (or should I say "down to"
No exploit programs are required, but I guess any program that can fill up
the security event log with bogus events can help attackers.
Not any I am aware of.
For Windows 2000 Serve and Professional: Apply SP3 for Windows 2000
For Windows XP Professional: Apply SP1 for Windows XP
The TechNet article regarding this issue can be found in
Email: eitancaspi () yahoo com
- A full event log does not send administrative alerts Eitan Caspi (Oct 15)