Solved

How to manage Secure Auditing for Windows 2008R2 Domain Controller

Posted on 2013-02-06
2
272 Views
Last Modified: 2013-07-01
Hello,
our CEO wants to enable auditing for the Domain Controllers (to know, who i.e. has changed some Settings of an user account ...)
So we want to secure our Windows security Event logs. The Goal is that all secuity Events will be logged and NO Administrator can delete the log withot "backup" them on another System.

Some possible Solutions can be:

--- All Windows security Event logs will be stored or forwarded to a secured System, wich only a Special Admin has Access to.

--- Only a Special Admin can delete the security logs on the DC (and before, he has to backup them ...)

--- All security Events are grabbed by an Audit System (or forwardet to this)

--- Or another solution, wich you perhaps know.

The System or the configuration should be as easy (and cheap) as possible :-).


thanks for your help
John
0
Comment
Question by:JoHaMey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 38860098
I'd look at something like Splunk or other similar solutions.  

Windows IT Pro had a buyers guide

http://www.windowsitpro.com/article/buyers-guide/Buyer-s-Guide-Event-Log-Managers-125280

Test any solution and make sure it meets your requirements and budget

One thing you can't prevent is a domain admin/administrator from deleting logs.  Persons that have those powerful rights can do whatever they want. (limit domain admins)

Thanks

Mike
0
 
LVL 55

Accepted Solution

by:
McKnife earned 400 total points
ID: 38862071
To continue Mike's advice:
"One thing you can't prevent is a domain admin/administrator from deleting logs"
Right, but this again will be logged!

I would use built-in auditing together with eventtriggered actions. Whenever an (account modified-) event enters the security log, you can attach an event trigger to it and have it send mails with a certain subject line.
Of course you might say: but those triggers can be shut down, this mailing service, too...
Right, so those have to be audited, too!

In the end, if you don't fully trust admins, you have a hard time. You can setup auditing for anything, but the logs can be deleted as well. So in the very end, it all depends on someone manually and regularly controlling that the logs have not been deleted but if so, who did it and why.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question