Solved

How to manage Secure Auditing for Windows 2008R2 Domain Controller

Posted on 2013-02-06
2
268 Views
Last Modified: 2013-07-01
Hello,
our CEO wants to enable auditing for the Domain Controllers (to know, who i.e. has changed some Settings of an user account ...)
So we want to secure our Windows security Event logs. The Goal is that all secuity Events will be logged and NO Administrator can delete the log withot "backup" them on another System.

Some possible Solutions can be:

--- All Windows security Event logs will be stored or forwarded to a secured System, wich only a Special Admin has Access to.

--- Only a Special Admin can delete the security logs on the DC (and before, he has to backup them ...)

--- All security Events are grabbed by an Audit System (or forwardet to this)

--- Or another solution, wich you perhaps know.

The System or the configuration should be as easy (and cheap) as possible :-).


thanks for your help
John
0
Comment
Question by:JoHaMey
2 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 38860098
I'd look at something like Splunk or other similar solutions.  

Windows IT Pro had a buyers guide

http://www.windowsitpro.com/article/buyers-guide/Buyer-s-Guide-Event-Log-Managers-125280

Test any solution and make sure it meets your requirements and budget

One thing you can't prevent is a domain admin/administrator from deleting logs.  Persons that have those powerful rights can do whatever they want. (limit domain admins)

Thanks

Mike
0
 
LVL 54

Accepted Solution

by:
McKnife earned 400 total points
ID: 38862071
To continue Mike's advice:
"One thing you can't prevent is a domain admin/administrator from deleting logs"
Right, but this again will be logged!

I would use built-in auditing together with eventtriggered actions. Whenever an (account modified-) event enters the security log, you can attach an event trigger to it and have it send mails with a certain subject line.
Of course you might say: but those triggers can be shut down, this mailing service, too...
Right, so those have to be audited, too!

In the end, if you don't fully trust admins, you have a hard time. You can setup auditing for anything, but the logs can be deleted as well. So in the very end, it all depends on someone manually and regularly controlling that the logs have not been deleted but if so, who did it and why.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
As a business owner, there are many things that keep you up at night. Profit margins, employee retention, human resource protocols, whether your product or service will remain competitive. When you own or manage a technology company that operates la…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question