?
Solved

Tracking logins securely with Windows Server 2003

Posted on 2007-11-19
8
Medium Priority
?
908 Views
Last Modified: 2013-12-04
I need to find out a way to track all user logins to the console of a Server 2003 system. I need to track any administrator logins from either remote (via Terminal Services) or just a standard login directly to the console.
0
Comment
Question by:seandolan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 200 total points
ID: 20316897
you will need to enable auditing on your domain controllers group policy...
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 20317014
0
 
LVL 3

Author Comment

by:seandolan
ID: 20317647
The only problem is that with both processes, the logging can be cleared. If someone was to logon as an administrator they could clear this off without any security getting in their way.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 200 total points
ID: 20318139
The solution for clearing the logs is having them shipped to a central log reporting system.
And closely guarding who has access to that reporting (and log-backup) system.

Consul has (or had) such a system, but they have been recently acquired by IBM. They used to market it as a system to watch the gatekeepers, or something along that line. Don't know the exact status of that software. It's now part of Tivoli, and I'm not sure if it's available seperatly. See http://www-306.ibm.com/software/tivoli/welcome/consul/index.html and check with your IBM reseller.

An alternative is Snare. It uses open source agents to ship the logs, to an open source Snare backlog server. See: http://www.intersectalliance.com/projects/SnareBackLog/index.html
There is also a more extensive appliance-server available for this: the InterSect Alliance 'Snare Server' appliance.

BTW, clearing the event logs always adds a first entry to the logs saying that it has been cleared. So you always know that someone has been tampering. If each administrator has it's own private login and passwords are kept secure, then you also know who did it.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20318157
And I forgot about one of my favorites, GFI: http://www.gfi.com/eventsmanager/
I have always found the GFI tools easy to use (in a Microsoft only environment).

J.
0
 
LVL 3

Author Comment

by:seandolan
ID: 20323788
I found a way to do this through using an app call EventLogXP, I just take an automatic backup every minute and send it to an ftp location. This is working fine now.

http://www.eventlogxp.com/
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20324486
nice work
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses
Course of the Month11 days, 15 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question