Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Win Server 2003 - Auditing (Active Directory)

  • 03-05-2011 12:23pm
    #1
    snollup
    Registered Users, Registered Users 2 Posts: 1,464 ✭✭✭


    Hi there,

    We have had a breech of network security in my work and when investigating discovered that the Audit Active Directory Objects was not switched on.

    I am aware the the default setting for this is off. Do most network administrators switch this on?

    Thanks in advance.

    Joe.


Comments

  • #2
    Static M.e.
    Registered Users, Registered Users 2 Posts: 3,088 ✭✭✭Static M.e.


    No easy answer.

    For a Small or even medium sized company I would say No. Anything larger then Yes.

    If someones Job Title is Security Analyst/Engineer/Administrator then it probably should have been on otherwise No.

    My own view is that if you switch it (plus others like it) On and you have no one watching them and/or software to monitor it, collect the logs etc. Then its just a waste of time. Sounds great in theory but fails in practice.


  • #3
    tim9002
    Registered Users Posts: 92 ✭✭tim9002


    May be worth looking at a third party tool that will alert you to specific actions. ManageEngine have a tool called ADAudit Plus that can create alerts for AD change events. Quest/ScriptLogic have some tools in this area also.


  • #4
    jimbob_jones
    Registered Users, Registered Users 2 Posts: 731 ✭✭✭jimbob_jones


    I have used the Quest InTrust for Active Directory, but the licensing is expensive you need to license the server and a client access license too, as well as a license for the SQL server and SQL cals.

    Do you have any monitoring software like System Center Operations Manager or Microsoft Operations Manager 2005 ?

    I have setup alerts that if someone tampers with certain groups etc.. it alerts the Network Admins and Server Admins does the trick.

    Best of luck I now how these things can snowball


  • #5
    Mac daddy
    Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    jimbob_jones wrote: »
    I have used the Quest InTrust for Active Directory, but the licensing is expensive you need to license the server and a client access license too, as well as a license for the SQL server and SQL cals.

    +1 for InTrust.
    As Jimbob said the license for it is pretty damm expensive...

    As for enabling the audit objects enabling yes or no really depends.. small business with a handful of users I would say no, larger environments it should be enabled and increase the overall size of your event logs as they will fill up pretty quick with entries.


  • #6
    snollup
    Registered Users, Registered Users 2 Posts: 1,464 ✭✭✭snollup


    Thanks all. As a small enough charity I don't think we could justify a big spend on this. Will have a read up on what's available on a limited budget though.

    Thanks again.


  • Advertisement
  • #7
    Static M.e.
    Registered Users, Registered Users 2 Posts: 3,088 ✭✭✭Static M.e.


    Remember if you are a Charity, you should be getting Charity prices on Microsoft software. Quest might do something for you too


Advertisement