Solved

Tracking logins securely with Windows Server 2003

Posted on 2007-11-19
8
901 Views
Last Modified: 2013-12-04
I need to find out a way to track all user logins to the console of a Server 2003 system. I need to track any administrator logins from either remote (via Terminal Services) or just a standard login directly to the console.
0
Comment
Question by:seandolan
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 50 total points
Comment Utility
you will need to enable auditing on your domain controllers group policy...
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
Comment Utility
0
 
LVL 3

Author Comment

by:seandolan
Comment Utility
The only problem is that with both processes, the logging can be cleared. If someone was to logon as an administrator they could clear this off without any security getting in their way.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 50 total points
Comment Utility
The solution for clearing the logs is having them shipped to a central log reporting system.
And closely guarding who has access to that reporting (and log-backup) system.

Consul has (or had) such a system, but they have been recently acquired by IBM. They used to market it as a system to watch the gatekeepers, or something along that line. Don't know the exact status of that software. It's now part of Tivoli, and I'm not sure if it's available seperatly. See http://www-306.ibm.com/software/tivoli/welcome/consul/index.html and check with your IBM reseller.

An alternative is Snare. It uses open source agents to ship the logs, to an open source Snare backlog server. See: http://www.intersectalliance.com/projects/SnareBackLog/index.html
There is also a more extensive appliance-server available for this: the InterSect Alliance 'Snare Server' appliance.

BTW, clearing the event logs always adds a first entry to the logs saying that it has been cleared. So you always know that someone has been tampering. If each administrator has it's own private login and passwords are kept secure, then you also know who did it.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
Comment Utility
And I forgot about one of my favorites, GFI: http://www.gfi.com/eventsmanager/
I have always found the GFI tools easy to use (in a Microsoft only environment).

J.
0
 
LVL 3

Author Comment

by:seandolan
Comment Utility
I found a way to do this through using an app call EventLogXP, I just take an automatic backup every minute and send it to an ftp location. This is working fine now.

http://www.eventlogxp.com/
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
nice work
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now