Re: Secure logging of actions of Win2000 administrator?

From: Eric Torbenson (ert1@nospamoptonline.net)
Date: 09/29/02

• Next message: : "Re: policies"
• Previous message: Eric Torbenson: "Re: policies"
• In reply to: Niels C Krieger Lassen: "Secure logging of actions of Win2000 administrator?"
• Next in thread: Oliver: "Re: Secure logging of actions of Win2000 administrator?"
• Reply: Oliver: "Re: Secure logging of actions of Win2000 administrator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Eric Torbenson <ert1@nospamoptonline.net>
Date: Sun, 29 Sep 2002 21:23:38 GMT

Niels C Krieger Lassen <nckl@videometer.com> wrote:
> Is there a way to log the actions of the administrator of a local
> Win2000 system?
> If so, can I prevent him/her from deleting his trail?

> (I'm completely new to Win2000 security, so please bear with my ignorance)
> Cheers from Krieger
> ////////////////////

Windows NT/2000 auditing works a little differently than you think, or so I
gather. You can turn on auditing for a system in the group policy, but it does
not start logging anything until you select items to audit. For example,if you
want to monitor a folder, right-click on the folder, and in the Properties,
select Security and Advanced. The dialog you see allows you to add groups
and the events you'd like to keep track of. The events end up in the Security
event log. The administrator can clear the log, but an entry will appear
every time they do it, complete with username and time stamp. This is the
only way to determine whether or not the admin covered his tracks. Too bad
that Windows doesn't have the unix syslog capability, which can dump events
to another machine in real time...

IMPORTANT: Don't just turn on global success auditing, especially for a large
amount of users/admins. Auditing slows the system to a crawl when too many
events are being tracked. Experiment and see for yourself.

-Eric

---

• Next message: : "Re: policies"
• Previous message: Eric Torbenson: "Re: policies"
• In reply to: Niels C Krieger Lassen: "Secure logging of actions of Win2000 administrator?"
• Next in thread: Oliver: "Re: Secure logging of actions of Win2000 administrator?"
• Reply: Oliver: "Re: Secure logging of actions of Win2000 administrator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Too late for Administrators Password? ... if you're going to be messing with permissions then ALWAYS FIRST SET ... folder and click the Security Options folder. ... Next, administrator, you need to have the security tab show when you ... (microsoft.public.windowsxp.help_and_support) Re: Too late for Administrators Password? ... > password to login to the RC as the system Administrator, ... > folder and click the Security Options folder. ... > you've wisely created yet another administrator account that you always ... (microsoft.public.windowsxp.help_and_support) Re: Check permissions on Folder ... warning that they may encounter issue if the folder permissions are not ... but the application administrator ... the security API's are mainly meant to be used from ... exception, if it succeeds you are done. ... (microsoft.public.dotnet.languages.csharp) Re: Access to User Profile on Slave HDD ... security was the same tab at the top as well as general and customize. ... I had forgotten about folder ownership. ... In the Name list, click your user name, or click Administrator if you ... (microsoft.public.windowsxp.security_admin) Re: How to enable file security? ... my computer besides myself, so I selected a folder, went into Properties -> ... Security, and modified the "Users" access to "Deny all". ... > use the reserve Administrator account after booting Safe Mode. ... > Alex Nichol MS MVP ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)