Windows Auditing

SieSie Member Posts: 1,195
............
Foolproof systems don't take into account the ingenuity of fools

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Actually, I think your company's security policy would be the best source to use for determining what you should audit.
  • SieSie Member Posts: 1,195
    ............
    Foolproof systems don't take into account the ingenuity of fools
  • SieSie Member Posts: 1,195
    ............
    Foolproof systems don't take into account the ingenuity of fools
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    "What" are you intending to audit? In most cases, you will also have to enable the actual object (an OU, a file directory, or whatever) to be audited and which events to audit as well.

    First, look at your company's security policy. Next, look at the actual requests you might get (for example, a file got deleted or modified in a certain secure area and you need to gather some info). Finally, audit where administratively useful to you. Don't just audit everything or you'll be wasting resources and though space might not be a concern, you could risk having a corrupt or unmanageable log file, which would be totally useless to you.

    b
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • hypnotoadhypnotoad Banned Posts: 915
    So if i wanted to know whenever someone logs on or off a machine on the domain, and i don't care about the rest of it, what should i turn on? These things have always created too much noise for me.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Account logon and/or logon depending on what you want to monitor.

    Recent thread about the differences: http://techexams.net/forums/viewtopic.php?t=41009
  • SieSie Member Posts: 1,195
    ............
    Foolproof systems don't take into account the ingenuity of fools
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I would first bump up the size of the security logs a bunch on the DC and enable auditing on all of them to audit logons, and audit logons on any sensitive servers (the local security log would get any hits for local accounts as well as domain accounts), and any server that might have critical data like a file server, but there only selectively audit access to files/folders where necessary. Tweak from there.

    You may want to check the logging on your IIS servers too, depending on what you have on them.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • hypnotoadhypnotoad Banned Posts: 915
    What would be really cool is to get an email any time somebody logs on a DC locally or by RDP. Sounds like a job for some unknown third-party application.
  • SieSie Member Posts: 1,195
    ............
    Foolproof systems don't take into account the ingenuity of fools
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    hypnotoad wrote:
    What would be really cool is to get an email any time somebody logs on a DC locally or by RDP. Sounds like a job for some unknown third-party application.

    This is actually very easy to set up in something like SCOM, if you know what the audited logon types mean. Alert on all successful logon events of logon type 10 on your domain controllers. Probably want to grab logon type 2 (interactive logon) as well.

    Logon types
    http://www.ultimatewindowssecurity.com/logontypes.html
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Sie wrote:
    That would be useful in some circumstances and Im sure that wouldnt be too hard to do.

    Another question for you all.

    You can only pick one:

    Success or Failure.

    Would you rather know when someone has changed something or when they are trying to?

    Take account management or system event for example.

    Do you want to know when Joe Bloggs has added himself to the admin group or deleted the sec log or just when he tries to.

    Success would show you when the threat was real and is happening / happened.

    Yet failure would show you and warn you before it happened.....

    Just a random thought while i have been going through all this!

    Only being able to pick one doesn't make any sense to me, if it's that critical to keep track of that resource then you gotta log both success and failure. If forced to pick only one, I'd log successes and rely on my security and recovery processes I guess, that way you'd at least be able to track down exactly when the offending event happened.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • SieSie Member Posts: 1,195
    ............
    Foolproof systems don't take into account the ingenuity of fools
Sign In or Register to comment.