Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Tracking logins securely with Windows Server 2003

Posted on 2007-11-19
8
Medium Priority
?
909 Views
Last Modified: 2013-12-04
I need to find out a way to track all user logins to the console of a Server 2003 system. I need to track any administrator logins from either remote (via Terminal Services) or just a standard login directly to the console.
0
Comment
Question by:seandolan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 200 total points
ID: 20316897
you will need to enable auditing on your domain controllers group policy...
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 20317014
0
 
LVL 3

Author Comment

by:seandolan
ID: 20317647
The only problem is that with both processes, the logging can be cleared. If someone was to logon as an administrator they could clear this off without any security getting in their way.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 200 total points
ID: 20318139
The solution for clearing the logs is having them shipped to a central log reporting system.
And closely guarding who has access to that reporting (and log-backup) system.

Consul has (or had) such a system, but they have been recently acquired by IBM. They used to market it as a system to watch the gatekeepers, or something along that line. Don't know the exact status of that software. It's now part of Tivoli, and I'm not sure if it's available seperatly. See http://www-306.ibm.com/software/tivoli/welcome/consul/index.html and check with your IBM reseller.

An alternative is Snare. It uses open source agents to ship the logs, to an open source Snare backlog server. See: http://www.intersectalliance.com/projects/SnareBackLog/index.html
There is also a more extensive appliance-server available for this: the InterSect Alliance 'Snare Server' appliance.

BTW, clearing the event logs always adds a first entry to the logs saying that it has been cleared. So you always know that someone has been tampering. If each administrator has it's own private login and passwords are kept secure, then you also know who did it.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20318157
And I forgot about one of my favorites, GFI: http://www.gfi.com/eventsmanager/
I have always found the GFI tools easy to use (in a Microsoft only environment).

J.
0
 
LVL 3

Author Comment

by:seandolan
ID: 20323788
I found a way to do this through using an app call EventLogXP, I just take an automatic backup every minute and send it to an ftp location. This is working fine now.

http://www.eventlogxp.com/
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20324486
nice work
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question