Re: What should be audited on a DC

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 05/13/04

• Next message: airedale1: "error message"
• Previous message: clinton.mills_at_hitcents.com: "Service Pack"
• In reply to: Samantha: "What should be audited on a DC"
• Next in thread: Samantha: "Re: What should be audited on a DC"
• Reply: Samantha: "Re: What should be audited on a DC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 May 2004 21:07:46 -0500

That depends on what you want to monitor and how much time you have to do
such. Generally for domain controllers you want to audit at least account
logon events for sucess and failure and probably system events, policy
change, and account management. If you audit everything then your logs fill
up very quickly with events that make it hard to see what you really need to
see and can impair performance on your computers. There may be other
categories you may want to audit on certain occassions [such as object
access/folder auditing] or for situations that require higher level of
security. Be sure to increase the size of your security logs quite a bit
from default and learn how to use the filter view and free tools like Event
Comb. The links below may be helpful. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch03.mspx
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx

"Samantha" <anonymous@discussions.microsoft.com> wrote in message
news:7DD9660A-92E6-4202-A994-83CCCC030F0D@microsoft.com...
> Hi All,
>
> What audit policies should I configured to be view in event viewer on a
Domain Controller?
>
> Many thanks

• Next message: airedale1: "error message"
• Previous message: clinton.mills_at_hitcents.com: "Service Pack"
• In reply to: Samantha: "What should be audited on a DC"
• Next in thread: Samantha: "Re: What should be audited on a DC"
• Reply: Samantha: "Re: What should be audited on a DC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: What should be audited on a DC ... Generally for domain controllers you want to audit at least account ... change, and account management. ... Be sure to increase the size of your security logs quite a bit ... (microsoft.public.win2000.security) 2003 DC auditing issue ... I have Windows 2003 test machine, and I test auditing policies. ... 2003 Domain Controller, with default installation settings. ... If I configure all audit policies in “Default Domain Controllers Policy” to ... Audit Account Management) to Audit Success and Audit Failure, ... (microsoft.public.security) Re: ADAM object auditing ... Enabling the audit will not help for ADAM, ... type of output I get from enabling Account Management in AD (all creates, ... check the SACL box, click OK. ... (microsoft.public.windows.server.active_directory) Re: ADAM object auditing ... Enabling the audit will not help for ADAM, ... type of output I get from enabling Account Management in AD (all creates, ... check the SACL box, click OK. ... (microsoft.public.windows.server.active_directory) Re: user accounts are reappearing ... is a policy setting called "audit account management" that you can enable. ... (microsoft.public.win2000.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint