Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Setting up Audit Policies in AD on Server 2003.

Posted on 2009-07-15
5
Medium Priority
?
257 Views
Last Modified: 2013-12-04
Are there auditing policies to monitor the following:
1. Change of privileges
2. The installation/uninstallation of software
3. When and by whom a certain service is stopped/started
4. Modifying the actual auditing settings

If there are, which policy should I set up for each or how do I go about setting these up?

Also is there a way to secure audit policies so that they cannot be altered?

Thanks!
0
Comment
Question by:sliknick1028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
abraham808 earned 1000 total points
ID: 24862345
I think you need a 3rd party APP. Like Netpro Change Auditor

But This could start you in the right direction.
http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

Open Group Policy
4. Under Computer Configuration>Windows Settings>Security Settings>Local Polices>Audit Policy
0
 

Author Comment

by:sliknick1028
ID: 24862469
Yes, I knew about the Auditing Policies in Group Policy but I wanted to know which of the audit policies covered the 4 things that I listed above.  I read the "Explain this setting" section for each policy but non of them exactly mentioned anything about the 4.  I wanted a more specific answer... for example "Audit account management" will work for "change of priviledges" (I know it doesn't just giving an example)
-Thanks!
0
 
LVL 10

Expert Comment

by:abraham808
ID: 24862599
I think you need a 3rd Party app that does those things.  It's not that cut and dry in Group Policy.
0
 
LVL 6

Assisted Solution

by:naldiian
naldiian earned 1000 total points
ID: 24864048
Your list requires enabling all of the options for auditing that are available in 2003, and more importantly you would need to enable enforcement of the audit policies on the member computers of the domain, rather than just the domain controllers - also meaning you would need to capture and review the logs from the actual member servers and workstations where you want to audit these things, as not all of this will involve the domain and may therefore not be logged there.
As far as restricting security for setting these policies, they are restricted to administrators of the involved systems be default, though they can be delegated and may not be limited to admins in a given environment if previously changed. Again, this means domain admins for the domain level, but just local administrators of the workstations and member servers
The volume of information that is generated in the security logs with this level of auditing, plus the requirement of getting the logs from multiple systems to know the whole picture, does lead to a strong case for using an applicaiton solution that can consolidate all of the information and provide ways to present it in usable formats to fit the objectives you have.
0
 

Author Closing Comment

by:sliknick1028
ID: 31603881
abraham808 was first to say that it would require a 3rd party solution, but naldiian spelled it all out for me.   Thanks guys!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question