Re: Monitor the Adminstrator
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/13/04
- Next message: Steven L Umbach: "Re: Folder Permissions - delete"
- Previous message: Denny Locke: "Delegated rights"
- In reply to: Mail Man: "Monitor the Adminstrator"
- Next in thread: Mail Man: "Re: Monitor the Adminstrator"
- Reply: Mail Man: "Re: Monitor the Adminstrator"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 Jul 2004 16:48:13 GMT
You can't realistically restrict an administrator. You can monitor events by
auditing, though an administrator can clear the security log which in itself will
leave an event, and a malicious administrator could modify the security log. While it
is a good idea to audit, you really need to trust people that are administrators and
in W2K for AD, delegation can be used to do most things without making a user an
administrator.
See the link below on auditing. For starts it is a good idea to at least audit
account logon events and account management on domain controllers, logon events on
servers and domain workstations. --- Steve
http://www.microsoft.com/technet/security/guidance/secmod144.mspx
"Mail Man" <this4meonly@yahoo.com> wrote in message
news:2753502d.0407130101.6fbc8114@posting.google.com...
> Hi 2 Security concerns
> First:-
> How to make sure Even your Administrator
> can not alter and Log files and Audit Policy
> Second:-
> any good tool which can easily track changes in your Active Directory
> like user has been add to or remove from group
> permissions has been modified in Folders or Files
>
>
> Thanks 4 your Time& effort
- Next message: Steven L Umbach: "Re: Folder Permissions - delete"
- Previous message: Denny Locke: "Delegated rights"
- In reply to: Mail Man: "Monitor the Adminstrator"
- Next in thread: Mail Man: "Re: Monitor the Adminstrator"
- Reply: Mail Man: "Re: Monitor the Adminstrator"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
