You would be surprised, 

 

But auditing I am providing the verification of the security controls on
the systems accordingly, unfortunately, searching each server I need to
look into one by one is proving almost fruitless these days. From what I
remember from the last time I read HIPAA there is little guidance in
this reguard. I will probably re-read SP800-66 ( NIST guidance for the
implementation of the HIPAA security rule accordingly) and see if I can
pick out some sections that will bolster the case. 

 

Like I said been asking for eventlog management for 5+ yrs, never makes
it to budget, just like Vulnerability Management, and a few other choice
items.  They are running around meaningful use now, and that will
consume all the given time for the next few years. 

 

Wonder why I want to move over to the security side of stuff... the old
hat is getting pretty annoying atm...

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Free, Bob [mailto:r...@pge.com] 
Sent: Wednesday, July 28, 2010 3:49 PM
To: NT System Admin Issues
Subject: RE: Auditing in Windows 2008 and R2 what are folks doing?

 

I find it hard to fathom that you can pass an external audit w/o some
kind of formal log mgmt especially given your sector.

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Wednesday, July 28, 2010 12:39 PM
To: NT System Admin Issues
Subject: RE: Auditing in Windows 2008 and R2 what are folks doing?

 

Naa its far harder than that, I think someone said we can dump the event
logs via powershell, but using EventCombMT when I need to get something
I hope still works. Either that or I am going to have to bug MGMT again
about a dedicated eventlog management tool. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Wednesday, July 28, 2010 3:36 PM
To: NT System Admin Issues
Subject: Re: Auditing in Windows 2008 and R2 what are folks doing?

 

Tough gig then. Looks like you're going to be doing a lot of creative
stuff with dumpel.exe and the findstr command :-)

On 28 July 2010 13:06, Ziots, Edward <ezi...@lifespan.org> wrote:

I don't have SCOM, I wish I had some event log auditing solution, been
asking for 5+ yrs, and all it ever falls on is deaf ears....

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: Malcolm Reitz [mailto:malcolm.re...@live.com] 
Sent: Tuesday, July 27, 2010 6:29 PM


To: NT System Admin Issues

Subject: RE: Auditing in Windows 2008 and R2 what are folks doing?

 

Have you looked in to using the Audit Collection Services piece of SCOM?
I think ACS could be valuable for security event reporting and forensics
use.

 

-Malcolm

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Tuesday, July 27, 2010 15:41
To: NT System Admin Issues
Subject: Re: Auditing in Windows 2008 and R2 what are folks doing?

 

I'm mainly interested in account lockouts, logons attempted under things
like built-in administrator accounts, high numbers of logon failures,
and any attempts to modify security policies and/or protected groups
(such as local admins, domain admins, server ops, and the like). We've
also got certain areas where file access is audited.

I use SCOM to try and aggregate the events for me. This is quite handy,
as it also monitors things like failed su to root on our ESX servers and
other stuff outside of the Windows event logging arena.

On 27 July 2010 20:15, Ziots, Edward <ezi...@lifespan.org> wrote:

Hey gang, well I wanted to ask the group, what is everyone doing about
their audit policies on Windows 2008 R2 for domain controllers or member
servers. 

 

I have mapped out all the audit categories and sub-categories, and
events, but I don't want the logs to turn into soup, so kinda wanted to
see what others were doing for which categories and subcategories they
turned on auditing for. Would be nice to bounce some ideas off about
certain events. ( Already plowed through M$ site descriptions, the
Microsoft Security Resource Kit and Randy Franklin Smith's Eventlog
site)

 

Feel free to post here, or if you like catch me offline, love to hear
the feedback.  After this its on to Firewall rules accordingly for the
servers and either scripting or GPOing that out for a baseline. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

 

 

 

 

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to