Re: Tips on auditing
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 11/21/03
- Next message: Scott: "Accounts lockouted when Password Policy applied"
- Previous message: José Manuel Agüero: "Re: i want to use integrated windows authentication(NTLM,win2000) in my application."
- In reply to: Steven L Umbach: "Re: Tips on auditing"
- Next in thread: Steven Umbach: "Re: Tips on auditing"
- Reply: Steven Umbach: "Re: Tips on auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 21:57:29 -0500
Here's how you can do it: enable windows auditing [
http://securityadmin.info/faq.asp#auditing ] if you haven't already [e.g. if
your windows security event logs on your computers are empty] use something
like www.ipsentry.com $100 US to monitor the event logs. You would need to
put it on a dedicated machine, as using it to monitor event logs remotely is
resource intensive. IPSentry can send you all sorts of alerts when certain
log entries are found... NET SEND popups, SMTP email, use a modem to call
your pager, etc. This might be the most reliable way to do this.
If you prefer, you can use a batch file that runs a windows log dumping
utility such as the free one from www.sysinternals.com to go remotely to
each computer and dump the security event log and inspect it for new
entries. The batch file can also send you NET SEND messages, emails using
the free BLAT utility, etc. I've used both of these two methods myself to
get alerts based on windows security log events. I used the DUMPEL utility
from the Microsoft windows resource kit [which is not free] but I found it
to give unreliable results when trying to dump the security log remotely.
Or, you can use something like the free NTSyslog / NT Syslog utility found
in www.google.com on all workstations to spit out the windows security event
logs to a central syslog computer running something like the free
www.kiwisyslog.com client.
"Steven L Umbach" <n9rouz@nscomcast.net> wrote in message
news:_sbvb.256652$HS4.2310394@attbi_s01...
> That is pretty much what I know also. Here is something you could try. It
is not the
> easiest to implement on a large number of machines, but if you have it
narrowed down
> you could use Task Scheduler and create a task that would execute a batch
file of
> some sort [maybe net send with a message identifying computer] when the
local
> administrator logs on. --- Steve
>
>
> "Giovanni R." <gio.reg@tin.it> wrote in message
> news:e57pop4rDHA.2444@TK2MSFTNGP12.phx.gbl...
> > Ok.
> > But, my purpose was only to "see" when someone use this account.... in
other
> > words, we want to find them.
> >
> > I've heard something on some software that do that. In fact some network
> > scanner retrieve the user currently logged. but no one, in my memory,
alert
> > someone if a particular logon is made.
> >
> > many thanks Setve.
> >
> > John R.
> >
> > "Steven L Umbach" <sumbach55@ameritech.net> ha scritto nel messaggio
> > news:MH4vb.2202$aw2.774908@newssrv26.news.prodigy.com...
> > > I don't know of a tool that will do that. You can enable auditing of
> > account
> > > logon events or logon events on computers to track when a user logs
onto a
> > > computer. For domain machines, you will need to audit logon events to
see
> > > when someone is logging onto a particular machine with a domain
account.
> > It
> > > would also record events when some user tries to access a share
remotely
> > on
> > > that machine. Security events are recorded in the security log in
Event
> > > Viewer and you can use the filter view to narrow a search and use
> > something
> > > like Event Comb to scan the logs of multiple machines remotely
assuming
> > you
> > > have administrator rights on those machines.
> > >
> > > You may also need to review membership of the local administrators
group
> > on
> > > your machines and change passwords if you feel there is unathorized
access
> > > and make sure you are using complex passwords for those accounts. Keep
in
> > > mind it is very easy for someone with physical access to a machine to
> > reset
> > > the administrator account password if they can boot from a floppy,
cdrom,
> > or
> > > device other that the system drive. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
> > >
> >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> > > prodtech/win2000/secwin2k/09detect.asp
> > > http://tinyurl.com/vtyv -- Same link as above, shorter in case of
wrap.
> > >
> > >
> > > "Giovanni R." <gio.reg@tin.it> wrote in message
> > > news:uXmt3#0rDHA.1996@TK2MSFTNGP09.phx.gbl...
> > > > Hi all.
> > > >
> > > > I have a "little" trouble on my production network.
> > > > I and my collegue suppose that someone on our network use the local
> > > machine
> > > > account "administrator" for not legal activities.
> > > > We tried to found them unfortunately. Our network is medium with
about
> > 200
> > > > clients and 40% NT machines and 60% W2000 machines.
> > > > Someone knows an automated tools that can send an alert message to
the
> > > > administrators when someone use the local administrator account?
> > > >
> > > > Thanks very much
> > > >
> > > > John R.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Scott: "Accounts lockouted when Password Policy applied"
- Previous message: José Manuel Agüero: "Re: i want to use integrated windows authentication(NTLM,win2000) in my application."
- In reply to: Steven L Umbach: "Re: Tips on auditing"
- Next in thread: Steven Umbach: "Re: Tips on auditing"
- Reply: Steven Umbach: "Re: Tips on auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
