Solved

Tracking logins securely with Windows Server 2003

Posted on 2007-11-19
8
902 Views
Last Modified: 2013-12-04
I need to find out a way to track all user logins to the console of a Server 2003 system. I need to track any administrator logins from either remote (via Terminal Services) or just a standard login directly to the console.
0
Comment
Question by:seandolan
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 50 total points
ID: 20316897
you will need to enable auditing on your domain controllers group policy...
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 20317014
0
 
LVL 3

Author Comment

by:seandolan
ID: 20317647
The only problem is that with both processes, the logging can be cleared. If someone was to logon as an administrator they could clear this off without any security getting in their way.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 50 total points
ID: 20318139
The solution for clearing the logs is having them shipped to a central log reporting system.
And closely guarding who has access to that reporting (and log-backup) system.

Consul has (or had) such a system, but they have been recently acquired by IBM. They used to market it as a system to watch the gatekeepers, or something along that line. Don't know the exact status of that software. It's now part of Tivoli, and I'm not sure if it's available seperatly. See http://www-306.ibm.com/software/tivoli/welcome/consul/index.html and check with your IBM reseller.

An alternative is Snare. It uses open source agents to ship the logs, to an open source Snare backlog server. See: http://www.intersectalliance.com/projects/SnareBackLog/index.html
There is also a more extensive appliance-server available for this: the InterSect Alliance 'Snare Server' appliance.

BTW, clearing the event logs always adds a first entry to the logs saying that it has been cleared. So you always know that someone has been tampering. If each administrator has it's own private login and passwords are kept secure, then you also know who did it.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20318157
And I forgot about one of my favorites, GFI: http://www.gfi.com/eventsmanager/
I have always found the GFI tools easy to use (in a Microsoft only environment).

J.
0
 
LVL 3

Author Comment

by:seandolan
ID: 20323788
I found a way to do this through using an app call EventLogXP, I just take an automatic backup every minute and send it to an ftp location. This is working fine now.

http://www.eventlogxp.com/
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20324486
nice work
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now