?
Solved

Auditing

Posted on 2005-03-10
5
Medium Priority
?
427 Views
Last Modified: 2013-12-04
When enabling auditing of logon events and account logons should this only be enabled on the domain controller policy or should the member servers also have this enabled on their local policy.  Would this be necessary?
0
Comment
Question by:vivo123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Accepted Solution

by:
mdiglio earned 200 total points
ID: 13512019
Hello,

I think you'll find that once/if you enable auditing on other servers it is not near as intensive to search
through and find the appropriate information as it is on your Domain Controllers.

With that being said then I would recommend enabling auditing on those as well.
It won't hurt..it won't take up near as much space to track information...and it might come in handy one day.

My vote would be a YES
0
 
LVL 6

Assisted Solution

by:kapes
kapes earned 100 total points
ID: 13516060
when .. user logs in using .. domain user id anywhere in domain.. that event is logged in   Domain Controller's eventlog ....

if user logs in using ... particular server's local account... that event is looged in that server's event log...

so... I would recommend enabling both
0
 
LVL 5

Assisted Solution

by:tmehmet
tmehmet earned 100 total points
ID: 13517194
The domain policy will work for domain activity, but this may not work for any local activity, specially if they are not domain controllers.

 you should as per industry best practice log all local activity. eg. Someone failing to access a share on the member box wont necessarily appear in the domain logs.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 13517609
First an foremost... are you going to have time to review them? Be they just on the controllers and or on the workstations? having them enabled is one thing, having the time to sort through them is another. If they are just enabled, and you don't review them- you'll be missing out on what's going on day-2-day... having them enabled and just looking through them when a real problem occurs is ok, but it's better to have them looked through every day. There is software out there that can watch your log's and alert you when certain event's you've configured happen, GFI SELM http://www.gfi.com/lanselm/ is one such product. You could also get kiwi (for unix) or snare for windows http://www.intersectalliance.com/projects/SnareWindows/ also found here: http://sourceforge.net/projects/snare/

If you have tools like these, then why not enable the event's on all servers and workstations:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
-rich
0
 

Author Comment

by:vivo123
ID: 13520744
Thank you all for your comments.  They are greatly appreciated.  

0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question