|
Posted by TwistedPair on November 4, 2007, 1:31 am
If you were Registered and logged in, you could reply and use other advanced thread options
> What I'd do:
>
> 1. Make sure your auditing works: add/delete users from the group and
> identify the audit trail;
> 2. Set up alerting on the audit events (using eventtriggers.exe, for
> example);
> 3. Action on the alerts - identify who's making changes, and why;
> 4. Use smart cards only for administrative logon so that there will be no
> issue with passwords
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
>
>> All,
>> I have a curious problem where stuff is changing in our AD domain, but
>> there's no record of those changes in the event log. For instance, just
>> recently, a couple of users needed to be added back into a group that
>> they
>> were previously members of.
>>
>> 1. None of the administrators are admitting to the change.
>>
>> 2. Nothing shows up in the security event logs with regard to the removal
>> of
>> those accounts although I see the events for the user being added back
>> in.
>>
>> 3. The reason for it not appearing in the event log could not possibly be
>> due to recency problems, meaning, the event had to have occurred before
>> the
>> log events for it were overwritten (it happened just a couple of days
>> ago).
>>
>> 4. DCdiag, netdiag, and the AD-related event logs are showing no
>> problems.
>>
>> 5. Additionally other suspicious event have happened, like password
>> expiration settings changing and no record of that occurring in the event
>> log . . . Things like that.
>>
>> I'm not liking the conclusions this is leaving me with as you can
>> imagine.
>> If we've been compromised, I need concrete evidence. If any of you
>> happen
>> to have any ideas on possible other things to check, I'd be greatly
>> interested.
>>
>> Thanks!
>>
>>
>
>
| 
XML site map