Re: Monitoring/Audit of privileged accounts

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/09/04

• Next message: fullpop_at_yahoo.com: "trouble posting"
• Previous message: PL: "DCOM error - why?"
• In reply to: Aafaq: "Monitoring/Audit of privileged accounts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 09 May 2004 19:46:31 GMT

You can enable auditing of various events in the appropriate security policy.
Auditing of account logons for instance on domain controllers via Domain Controller
Security Policy will tell when an administrator has logged onto the domain. It sounds
like you may also want to enable auditing of account management. Everything you want
may not be able to be directly audited though enabling auditing of object access and
then auditing specific folder, files, or AD objects may help if you don't mind
pouring through a lot of events in the security log correlating events. Avoid using
the everyone group in auditing and audit for only the bare number of permissions
needed to provide the results you need, for instance possibly audit only write data
or delete and not read to an object as read will generate a ton of events. The link
below is very good at explaining what auditing can do and how to configure it. ---
Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640

"Aafaq" <anonymous@discussions.microsoft.com> wrote in message
news:433E669E-C317-4C27-8FCE-B0B9DB28A639@microsoft.com...
> How can I audit/monitor the use of privileged accounts in windows 2000 domain
controllers and servers.
> Activities like creation/deletion/modification of user ids/Distributions lists in
Exchnage, DHCP scopes,password resets, etc.
>
> Thanks,
> Aafaq

---

• Next message: fullpop_at_yahoo.com: "trouble posting"
• Previous message: PL: "DCOM error - why?"
• In reply to: Aafaq: "Monitoring/Audit of privileged accounts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Auditing Account management events ... If you have configured auditing of account management in Domain Controller ... Security Policy, check the Local Security Policy of your domain controllers ... (microsoft.public.win2000.group_policy) Re: auditing active directory not working properly directory service access ... > Check the other containers such as OUs, computer, user, domain controllers ... > to see if any auditing is configured there also which you would also want to ... >>After enabling auditing for permission changes on the root of the domain, ... >>Best regards, ... (microsoft.public.windows.server.security) Re: Auditing Questions ... By default Auditing is set on Domain Controllers GPO setting and thus ... You could enable auditing on your Domain level. ... > Does Auditing of events (example is Account Management ... (microsoft.public.win2000.active_directory) Re: auditing active directory not working properly directory service access ... Check the other containers such as OUs, computer, user, domain controllers ... to see if any auditing is configured there also which you would also want to ... > After enabling auditing for permission changes on the root of the domain, ... (microsoft.public.windows.server.security) Re: FSO to non domain server UNC? ... > auditing on all domain controllers for that domain. ... > for logon failure on all domain controllers and you still see nothing in the ... the IWAM and IUSR accounts - just not when FSO does it from a web page. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)