Solved

How to manage Secure Auditing for Windows 2008R2 Domain Controller

Posted on 2013-02-06
2
265 Views
Last Modified: 2013-07-01
Hello,
our CEO wants to enable auditing for the Domain Controllers (to know, who i.e. has changed some Settings of an user account ...)
So we want to secure our Windows security Event logs. The Goal is that all secuity Events will be logged and NO Administrator can delete the log withot "backup" them on another System.

Some possible Solutions can be:

--- All Windows security Event logs will be stored or forwarded to a secured System, wich only a Special Admin has Access to.

--- Only a Special Admin can delete the security logs on the DC (and before, he has to backup them ...)

--- All security Events are grabbed by an Audit System (or forwardet to this)

--- Or another solution, wich you perhaps know.

The System or the configuration should be as easy (and cheap) as possible :-).


thanks for your help
John
0
Comment
Question by:JoHaMey
2 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
Comment Utility
I'd look at something like Splunk or other similar solutions.  

Windows IT Pro had a buyers guide

http://www.windowsitpro.com/article/buyers-guide/Buyer-s-Guide-Event-Log-Managers-125280

Test any solution and make sure it meets your requirements and budget

One thing you can't prevent is a domain admin/administrator from deleting logs.  Persons that have those powerful rights can do whatever they want. (limit domain admins)

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
McKnife earned 400 total points
Comment Utility
To continue Mike's advice:
"One thing you can't prevent is a domain admin/administrator from deleting logs"
Right, but this again will be logged!

I would use built-in auditing together with eventtriggered actions. Whenever an (account modified-) event enters the security log, you can attach an event trigger to it and have it send mails with a certain subject line.
Of course you might say: but those triggers can be shut down, this mailing service, too...
Right, so those have to be audited, too!

In the end, if you don't fully trust admins, you have a hard time. You can setup auditing for anything, but the logs can be deleted as well. So in the very end, it all depends on someone manually and regularly controlling that the logs have not been deleted but if so, who did it and why.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now