Re: Auditing

From: Talisker (talisker@networkintrusion.co.uk)
Date: 08/10/01 

Message-ID: <00e101c121db$107dd140$362a7bd5@jigglypuff>
From: "Talisker" <talisker@networkintrusion.co.uk>
To: "Clisby, Tom" <Tom.Clisby@thegarden.com>, <focus-ms@securityfocus.com>
Subject: Re: Auditing
Date: Fri, 10 Aug 2001 20:56:00 +0100

Tom
Try a Host IDS this may give you more information.
Also increase your log size and set the overwrite only after a period of
time has been exceeded (making sure your logs are big enough). Set your
logged events to all, again making sure your logs are big enough and your DC
is capable of dealing with the number crunching.

Back to the Host IDS, some such as KSE will allow you to tag a user, so
that every time he/she logs on an alert will appear on the console. Also
usefull for the primary admin account.

hope this helps, there are many other ways, but I like to promote the use of
Host IDS so I'm biased

cheers
-andy
http://www.networkintrusion.co.uk

----- Original Message -----
From: "Clisby, Tom" <Tom.Clisby@thegarden.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, August 08, 2001 8:40 PM
Subject: Auditing

> Hello All,
> Looking for idea's on how to see if someone has been using the
> network, resources on the network
> and when. This person is a employee who has valid login ID etc., they have
> been claiming to be logging
> serious overtime, but there seems to be some doubt.....the only thing I
have
> auditing turned on for is logon
> success/failure on the PDC/BDC's and we limit the log size to 8mb and then
> over-write...any thoughts
> would be appreciated.
>
> Tom Clisby
> Senior LAN Analyst
> Corporate I/S
> ETS/MSG
>
>
>
>
>

Relevant Pages

  • Re: Can you audit file access within Sharepoint Services 3.0?
    ... you can't enable it with Windows Explorer nor can you enable it with any out of the box stsadm command. ... Maybe one of the SharePoint-specific management tools from Quest Software or AvePoint allows you to view those logs but I haven't checked. ... an interface to turn on/off auditing; ... view the audit records so you'd have to build that as well. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: log file how to?
    ... Once auditing is enabled, you might also try ElUnDump for html-based reports ... of Windows event logs. ... > You can enable auditing on your computers however for what you would want ...
    (microsoft.public.win2000.networking)
  • RE: Trace of 139 attack?
    ... Enabling auditing is as important as what you enable. ... data in the logs, as well. ... That way, if the attacker ... Make international calls for as low as $.04/minute with Yahoo! ...
    (Focus-Microsoft)
  • Re: User logging
    ... shouldn't....but be careful what auditing you choose to enable! ... I'm really thinking a keylog app is more what you need. ... Shouldn't, either, if you set your event logs to reasonable sizes before ... misuse is happening out of office hours. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Keep admins off of client machines
    ... but if you have your auditing set correctly there will be ... > monitor the event logs and then do some action such as e-mail or page you. ... > As part of your overall security you would have auditing on computer room ... > settings at what time, when they were turned back on and who was in the ...
    (microsoft.public.windows.server.sbs)
Quantcast