Have you looked in to using the Audit Collection Services piece of SCOM? I
think ACS could be valuable for security event reporting and forensics use.

 

-Malcolm

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Tuesday, July 27, 2010 15:41
To: NT System Admin Issues
Subject: Re: Auditing in Windows 2008 and R2 what are folks doing?

 

I'm mainly interested in account lockouts, logons attempted under things
like built-in administrator accounts, high numbers of logon failures, and
any attempts to modify security policies and/or protected groups (such as
local admins, domain admins, server ops, and the like). We've also got
certain areas where file access is audited.

I use SCOM to try and aggregate the events for me. This is quite handy, as
it also monitors things like failed su to root on our ESX servers and other
stuff outside of the Windows event logging arena.

On 27 July 2010 20:15, Ziots, Edward <ezi...@lifespan.org> wrote:

Hey gang, well I wanted to ask the group, what is everyone doing about their
audit policies on Windows 2008 R2 for domain controllers or member servers. 

 

I have mapped out all the audit categories and sub-categories, and events,
but I don't want the logs to turn into soup, so kinda wanted to see what
others were doing for which categories and subcategories they turned on
auditing for. Would be nice to bounce some ideas off about certain events. (
Already plowed through M$ site descriptions, the Microsoft Security Resource
Kit and Randy Franklin Smith's Eventlog site)

 

Feel free to post here, or if you like catch me offline, love to hear the
feedback.  After this its on to Firewall rules accordingly for the servers
and either scripting or GPOing that out for a baseline. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to