• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

How to manage Secure Auditing for Windows 2008R2 Domain Controller

our CEO wants to enable auditing for the Domain Controllers (to know, who i.e. has changed some Settings of an user account ...)
So we want to secure our Windows security Event logs. The Goal is that all secuity Events will be logged and NO Administrator can delete the log withot "backup" them on another System.

Some possible Solutions can be:

--- All Windows security Event logs will be stored or forwarded to a secured System, wich only a Special Admin has Access to.

--- Only a Special Admin can delete the security logs on the DC (and before, he has to backup them ...)

--- All security Events are grabbed by an Audit System (or forwardet to this)

--- Or another solution, wich you perhaps know.

The System or the configuration should be as easy (and cheap) as possible :-).

thanks for your help
2 Solutions
Mike KlineCommented:
I'd look at something like Splunk or other similar solutions.  

Windows IT Pro had a buyers guide


Test any solution and make sure it meets your requirements and budget

One thing you can't prevent is a domain admin/administrator from deleting logs.  Persons that have those powerful rights can do whatever they want. (limit domain admins)


To continue Mike's advice:
"One thing you can't prevent is a domain admin/administrator from deleting logs"
Right, but this again will be logged!

I would use built-in auditing together with eventtriggered actions. Whenever an (account modified-) event enters the security log, you can attach an event trigger to it and have it send mails with a certain subject line.
Of course you might say: but those triggers can be shut down, this mailing service, too...
Right, so those have to be audited, too!

In the end, if you don't fully trust admins, you have a hard time. You can setup auditing for anything, but the logs can be deleted as well. So in the very end, it all depends on someone manually and regularly controlling that the logs have not been deleted but if so, who did it and why.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now