Solved

Setting up Audit Policies in AD on Server 2003.

Posted on 2009-07-15
5
242 Views
Last Modified: 2013-12-04
Are there auditing policies to monitor the following:
1. Change of privileges
2. The installation/uninstallation of software
3. When and by whom a certain service is stopped/started
4. Modifying the actual auditing settings

If there are, which policy should I set up for each or how do I go about setting these up?

Also is there a way to secure audit policies so that they cannot be altered?

Thanks!
0
Comment
Question by:sliknick1028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
abraham808 earned 250 total points
ID: 24862345
I think you need a 3rd party APP. Like Netpro Change Auditor

But This could start you in the right direction.
http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

Open Group Policy
4. Under Computer Configuration>Windows Settings>Security Settings>Local Polices>Audit Policy
0
 

Author Comment

by:sliknick1028
ID: 24862469
Yes, I knew about the Auditing Policies in Group Policy but I wanted to know which of the audit policies covered the 4 things that I listed above.  I read the "Explain this setting" section for each policy but non of them exactly mentioned anything about the 4.  I wanted a more specific answer... for example "Audit account management" will work for "change of priviledges" (I know it doesn't just giving an example)
-Thanks!
0
 
LVL 10

Expert Comment

by:abraham808
ID: 24862599
I think you need a 3rd Party app that does those things.  It's not that cut and dry in Group Policy.
0
 
LVL 6

Assisted Solution

by:naldiian
naldiian earned 250 total points
ID: 24864048
Your list requires enabling all of the options for auditing that are available in 2003, and more importantly you would need to enable enforcement of the audit policies on the member computers of the domain, rather than just the domain controllers - also meaning you would need to capture and review the logs from the actual member servers and workstations where you want to audit these things, as not all of this will involve the domain and may therefore not be logged there.
As far as restricting security for setting these policies, they are restricted to administrators of the involved systems be default, though they can be delegated and may not be limited to admins in a given environment if previously changed. Again, this means domain admins for the domain level, but just local administrators of the workstations and member servers
The volume of information that is generated in the security logs with this level of auditing, plus the requirement of getting the logs from multiple systems to know the whole picture, does lead to a strong case for using an applicaiton solution that can consolidate all of the information and provide ways to present it in usable formats to fit the objectives you have.
0
 

Author Closing Comment

by:sliknick1028
ID: 31603881
abraham808 was first to say that it would require a 3rd party solution, but naldiian spelled it all out for me.   Thanks guys!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question