?
Solved

How to manage Secure Auditing for Windows 2008R2 Domain Controller

Posted on 2013-02-06
2
Medium Priority
?
273 Views
Last Modified: 2013-07-01
Hello,
our CEO wants to enable auditing for the Domain Controllers (to know, who i.e. has changed some Settings of an user account ...)
So we want to secure our Windows security Event logs. The Goal is that all secuity Events will be logged and NO Administrator can delete the log withot "backup" them on another System.

Some possible Solutions can be:

--- All Windows security Event logs will be stored or forwarded to a secured System, wich only a Special Admin has Access to.

--- Only a Special Admin can delete the security logs on the DC (and before, he has to backup them ...)

--- All security Events are grabbed by an Audit System (or forwardet to this)

--- Or another solution, wich you perhaps know.

The System or the configuration should be as easy (and cheap) as possible :-).


thanks for your help
John
0
Comment
Question by:JoHaMey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 300 total points
ID: 38860098
I'd look at something like Splunk or other similar solutions.  

Windows IT Pro had a buyers guide

http://www.windowsitpro.com/article/buyers-guide/Buyer-s-Guide-Event-Log-Managers-125280

Test any solution and make sure it meets your requirements and budget

One thing you can't prevent is a domain admin/administrator from deleting logs.  Persons that have those powerful rights can do whatever they want. (limit domain admins)

Thanks

Mike
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1200 total points
ID: 38862071
To continue Mike's advice:
"One thing you can't prevent is a domain admin/administrator from deleting logs"
Right, but this again will be logged!

I would use built-in auditing together with eventtriggered actions. Whenever an (account modified-) event enters the security log, you can attach an event trigger to it and have it send mails with a certain subject line.
Of course you might say: but those triggers can be shut down, this mailing service, too...
Right, so those have to be audited, too!

In the end, if you don't fully trust admins, you have a hard time. You can setup auditing for anything, but the logs can be deleted as well. So in the very end, it all depends on someone manually and regularly controlling that the logs have not been deleted but if so, who did it and why.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question