Event Viewer and Internet Communication

Applies To: Windows Server 2003 with SP1

This section provides information about:

• The benefits of Event Viewer

• How Event Viewer communicates with sites on the Internet

• How to control Event Viewer to prevent the flow of information to and from the Internet

Benefits and Purposes of Event Viewer

Administrators can use Event Viewer to view and manage event logs. Event logs contain information about hardware and software problems and about security events on your computer. A computer running Microsoft Windows Server 2003 records events in at least three kinds of logs: application, system, and security. A computer running Windows Server 2003 which is configured as a domain controller records events in two additional logs, the Directory service log and the File Replication service log. A computer running Windows Server 2003 which is configured as a Domain Name System (DNS) server records events related to DNS in an additional log.

Other types of events and event logs might be available on a computer, depending on what services are installed.

Overview: Using Event Viewer in a Managed Environment

The Event Log service starts automatically when you start the operating system. Administrators access event logs for a server through Administrative Tools\Event Viewer. They can obtain detailed information about a particular event by either double-clicking the event or selecting the event and clicking Properties on the Action menu. The dialog box gives a description of the event, which can contain one or more links to Help.

Links can either be to Microsoft servers or to servers managed by the software vendor for the component that generated the event. On Windows Server 2003, most events that originate from Microsoft products will have standard text containing a URL at the end of the description ("For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp").

When you click the link, you are asked to confirm that the information presented can be sent over the Internet. If you click Yes, the information listed will be sent to the Web site named in the link. The parameters in the original URL will be replaced by a standard list of parameters whose contents are detailed in the confirmation dialog box. This list is provided in the next subsection under "Specific Information Sent or Received."

You may want to prevent users from sending this information over the Internet through this link and accessing a Web site. Alternatively, you may want to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. In Windows Server 2003 with SP1, you can do either of these things through Group Policy.

How Event Viewer Communicates with Sites on the Internet

In order to access the relevant Help information provided by the link in the Event Properties dialog box, you must send the information listed about the event. The collected data is confined to what is needed to retrieve more information about the event from the Microsoft Knowledge Base. User names and e-mail addresses, names of files unrelated to the logged event, computer addresses, and other forms of personal information are not collected.

The exchange of information that takes place over the Internet is as follows:

• Specific information sent or received: Information about the event sent over the Internet includes the following:

  • Company name (software vendor)

  • Date and time

  • Event ID (for example, 1704)

  • File name and version (for example, userenv.dll, 5.2.3790.1830)

  • Product name and version (for example, Microsoft Windows Operating System, 5. 2.3790.1830)

  • Registry source (for example, Userenv)

  • Type of event message (for example, Error)

  The information the user receives is from the Web site named in the link.

• Default settings: Access to Event Viewer is enabled by default.

• Triggers: The user chooses to send information about the event over the Internet in order to obtain more information about the event.

• User notification: When a user clicks the link, a dialog box listing the information that will be sent is provided.

• Logging: This is a feature of Event Viewer.

• Encryption: The information may or may not be encrypted, depending on whether the link uses HTTP or HTTPS.

• Access: No information is stored.

• Privacy: For information about privacy, in Help and Support, type Linking to Microsoft for Help and Support.)

• Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL, using either HTTP or HTTPS.

• Ability to disable: The ability to send information over the Internet or to be linked to a Web site can be prevented through a Group Policy setting.

Controlling Event Viewer to Prevent the Flow of Information to and from the Internet

You can prevent administrators from sending information across the Internet and accessing Internet sites through Event Viewer by configuring Group Policy. Alternatively, you can redirect the requests that result from a person clicking a link in Event Viewer so that the requests go to a Web server in your organization. You can do these things by configuring Group Policy.

These Group Policy settings affect only the flow of information to and from an intranet or the Internet through Event Viewer, not the other functions of Event Viewer.

Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer

The following procedures tell how to use Group Policy to prevent the flow of information to and from the Internet through Event Viewer.

To Use Group Policy to Prevent the Flow of Information to and from the Internet Through Event Viewer

1. See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

3. In the details pane, double-click Turn off Event Viewer "Events.asp" links, and then click Enabled.

The following procedure tells how to use Group Policy to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization.

To Use Group Policy to Redirect Links in Event Viewer to a Web Server in Your Organization

1. See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Event Viewer.

3. In the details pane, double-click Events.asp URL, click Enabled, and then type in the URL for the Web page that you want Event Viewer links to go to. Click OK.

4. In the details pane, double-click Events.asp program, click Enabled, and then type the path for the program that should be used for displaying the URL that you typed in the previous step. If you want the page to be displayed in the Web browser and the Web browser is in the system path, you can type the name of the Web browser executable alone, for example, iexplore.exe.

5. In the details pane, double-click Events.asp program command line parameters, click Enabled, and then type any command line parameters required for the program you typed in the previous step. If the program you typed in the previous step does not use parameters, clear the text box.