[Last Call] Learn how to a build a cloud-first strategyRegister Now


Configure auditing of Administrator account logon attempts (to track hacking attempts)

Posted on 2007-08-09
Medium Priority
Last Modified: 2010-05-18

How can i Configure auditing of Administrator account logon attempts (to track hacking attempts)

Question by:bsharath
LVL 26

Accepted Solution

Farhan Kazi earned 1000 total points
ID: 19668057
Open Active Directory Users and Computers. Select Advanced Features from the View menu.

Right Click on Administrator account -> Select Properties -> select Security.  then Advanced, there is an auditing tab there where you can set the Auditing.

Have a look at following post:
Securing the Domain Administrator Account:
LVL 11

Author Comment

ID: 19668118
Already in the administrator Auditing there is Everyone mentioned.Is that correct.

Where can i see the logs.Is there a way to get these audits only to a file.
LVL 70

Assisted Solution

KCTS earned 1000 total points
ID: 19668512
see http://technet2.microsoft.com/windowsserver/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true

It is good practice NOT to use the administrator account and to rename it so that someone trying to hack your system does not know the name of the administrator account.

All administrators should have a unique user account with admin privilages  so you can track who is doing what - and you need to monitor these as well.

Also consider making the "Administrators" "enterprise administrators" and "domain administrators" restricted groups so user account cannot be added to these groups without specific consent.

Also be aware of the differences between Audit Logon/Logoff and Audit Account Logon.
Account Logon" isn't really about logon, it's about credential validation.

 Audit Logon/Logoff generates events for the creation and destruction of logon sessions.  These events occur on the machine which was accessed.  In the case of an interactive logon, these would be generated on the machine which was logged on to.  In the case of network logon, for example, accessing a share, these events would be generated on the machine hosting the resource that was accessed.

Audit Account Logon generates events for credential validation. These events occur on the machine which is authoritative for the credentials.  For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative.  Since domain accounts are used much more frequently in enterprise environments than local accounts, most of the Account Logon events in a domain environment occur on the domain controllers which are authoritative for the domain accounts.  However, these events can occur on any machine, and may occur in conjunction with or on separate machines from logon/logoff events.

LVL 13

Expert Comment

ID: 19670040
The audited events appear in the Security Event log.  You can save this log out to a file, but you cannot redirect the auditing to a specific file that I know of.  (Please understand that I'm not the brightest star in the sky, so maybe someone else can weigh in.)

If you want to capture specific events such as logins with the administrator account you will probably need a specific application to do so.  I know that Microsoft Operations Manager (now Service Console Operations Manager) will do this.  I'm sure there are other products that will work just as well.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question