Not sure about any audit policy allowing for logging of specific attribute changes, but the rest of the things you specified should be available, depending on both your audit policy as well as configuring auditing on your servers. You also need to be aware that the permissions changes auditing is not 100% accurate - we have this enabled and configured right now, but it is impossible to decipher when an event is logged regarding permissions actually being changed, and when it is because someone with rights to change permissions just viewed the permissions of a file/folder. They are both logged under the same event ID :(
As far as AD changes, as long as you are using a product to collect all the logs to a central location, it is going to be a function of what reporting does the product provide, as well as knowing your event ID's for what you are looking for. What you have listed is just a start. Are you also looking at collecting logs from network devices? Do you have a price point you are looking for? How many servers (DC's and other servers) are you looking to log against? What kind of reporting are you hoping for (automatically emailed reports, web interface, etc.)? Do you want a product that can send you alerts? Are you just looking at reporting on servers? GFI may be one of the lower-priced options for your requirements, depending on the number of devices you want to collect against, as well as the number of events per second you think are going to be logged. I think enVision and loglogic would be at the upper tier, but may also offer more functionality regarding event capture capabilities. GFI says their scanning engine can collect up to 6 million events/hr, but that only translates to 1667 events/second. We have had times where our events per second has spiked at over 9000 before (including firewall logs), but have spiked over 5000 with server logs. Sorry for the long-winded reply - feel free to contact me off-list if you want more details on what we currently capture and our experiences with log management. James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services -----Original Message----- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Posted At: Friday, January 04, 2008 9:04 AM Posted To: NTSysadmin Conversation: Documentation, Restore and snapshoting of Server permissions software question Subject: Documentation, Restore and snapshoting of Server permissions software question To the list, After much angst and nagging, I have been given the go ahead to take a look into software that will do the following. For those with experience in using software to cover these areas and others, please feel free to chime in what has worked well for you and your staffs. I need the software to do the following. 1) Snapshot the NTFS/Share permissions on a server by server basis over time, to assist in recovery if my helpdesk etc etc steps on the permissions and causes issues with the servers. ( I believe Scriptlogic and Security Explorer and a few others in this realm I have seen but not played with personally) 2) Eventlog management tools to track, alert, manage and archive logs to a SQL Database or other remote medium for auditing and compliance. I can see this with both Agent based and non-agent based deployments. ( GFI, SMS, MOM, Configuresoft, Netpro, Quest, etc etc?) I am looking to track the following: AD changes, modifications, down to an attribute level, server permission changes, additions, deletes at the file and folder level, with a nice reporting mechanism accordingly, to get proactive with this) ( Also its an internal audit recommendation) Feel free to chime in on the good/bad/ugly of the situation. Z ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
