|
Posted by =?Utf-8?B?RXJhc21v?= on April 11, 2006, 4:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I'm trying to determine the best way to have my Domain Admins administrators
to audit each other, what I mean I want to keep track when eithe one of them
make a change in anything in AD such as DNS, DHCP, AD, etc. What is the best
method to centralized and keep track of administrators activities.
|
|
Posted by Steven L Umbach on April 11, 2006, 9:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
You can enable auditing for various categories on domain controllers via
Domain Controller Security Policy such as for account management, object
access, and directory services [for AD objects]. However you need to be
selective in auditing what you think is important or you will need a couple
more people to review all the tens of thousands of entries in the security
logs of domain controllers. The free Event Comb from Microsoft can help in
parsing the logs for events you want to track and text strings such as user
names. To track changes to DNS and DHCP you would probably need to audit the
registry keys used by those services. The link below is to a white paper
from Microsoft that may be helpful. --- Steve
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
-
-- The Security Monitoring and Attack Detection Planning Guide
> I'm trying to determine the best way to have my Domain Admins
> administrators
> to audit each other, what I mean I want to keep track when eithe one of
> them
> make a change in anything in AD such as DNS, DHCP, AD, etc. What is the
> best
> method to centralized and keep track of administrators activities.
|
|
Posted by Roger Abell [MVP] on April 11, 2006, 10:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
control, then I would suggest to you that there are only a small
number of things that might require Domain Admin membership
in a day-to-day scenario.
Hence, one could define "empowered" accounts to which the
known tasks have been delegated. Any account that is in the
Domain Admins group would not be a personal use account
and would be available for use only in defined cases (ex. some
task not yet covered in the delegations mentioned before).
Any log in with and use of a Domain Admins member would
trigger flags when seen in the logs, and should match in time
with the external audit trail that established a defined case for
use existed. Similarly, as the accounts to which tasks have
been delegated are not personal use accounts (that is, they
are explicitly crippled from being inviting for use other than for
times when needed to accomplish their tasks - I do not mean
a shared account that cannot be tied to a person) the audit of
their use should "make sense" and not include excess "stuff" to
sort through.
> I'm trying to determine the best way to have my Domain Admins
> administrators
> to audit each other, what I mean I want to keep track when eithe one of
> them
> make a change in anything in AD such as DNS, DHCP, AD, etc. What is the
> best
> method to centralized and keep track of administrators activities.
|
| Similar Threads | Posted | | who does a PKI audit? | January 31, 2008, 3:40 pm |
| User audit | September 6, 2005, 5:02 am |
| "file audit" | February 21, 2007, 9:02 am |
| How do you audit your systems? | August 5, 2007, 3:18 pm |
| Internal Audit question | September 22, 2005, 12:49 pm |
| Re: Audit Account Management | June 15, 2005, 1:15 am |
| Audit Account Management | June 14, 2005, 2:19 pm |
| How to audit WHO has shutdown a server? | March 9, 2006, 9:14 am |
| Modified Files Audit? | August 7, 2006, 2:52 am |
| Audit logon and logoff | September 11, 2006, 12:04 am |
|
XML site map