They are also in cleartext which always bothers me with authentication logs, I can often correlate passwords to user IDs by looking at failed logins in DC logs where the user accidentally puts their password in the user name box. It appears way more often than some might think, especially when a lot of disparate systems with slightly different login interfaces use AD for authN.
From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Thursday, July 29, 2010 1:50 AM To: NT System Admin Issues Subject: RE: Auditing in Windows 2008 and R2 what are folks doing? We are implementing this in an even bigger environment. However syslog runs over UDP (natively) and it's not reliable. You'd need to use software that gives you more reliability (e.g. by sending the traffic over TCP) if you need this to produce reliable log files centrally. Cheers Ken From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, 29 July 2010 3:50 AM To: NT System Admin Issues Subject: RE: Auditing in Windows 2008 and R2 what are folks doing? 800+ servers to a syslog? Plus going to have to put agents on every single server in the domain? Really haven't used Syslog much for the windows event logging Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Wednesday, July 28, 2010 3:48 PM To: NT System Admin Issues Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? EventCombMT still works... :) Why not export all the logs to SysLog, and spend a few tiny dollars on searching those logs? * Syslog servers are cheap/free. * Syslog forwarders for Windows are cheap/free. * Tools to search consolidated logs range from free to exorbitant. See Splunk on both accounts. :) Once you have established the value of log parsing and management, you'll have a slightly better chance of procuring some funds. -ASB: http://XeeSM.com/AndrewBaker On Wed, Jul 28, 2010 at 3:38 PM, Ziots, Edward <ezi...@lifespan.org> wrote: Naa its far harder than that, I think someone said we can dump the event logs via powershell, but using EventCombMT when I need to get something I hope still works. Either that or I am going to have to bug MGMT again about a dedicated eventlog management tool. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 From: James Rankin [mailto:kz2...@googlemail.com] Sent: Wednesday, July 28, 2010 3:36 PM To: NT System Admin Issues Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? Tough gig then. Looks like you're going to be doing a lot of creative stuff with dumpel.exe and the findstr command :-) On 28 July 2010 13:06, Ziots, Edward <ezi...@lifespan.org> wrote: I don't have SCOM, I wish I had some event log auditing solution, been asking for 5+ yrs, and all it ever falls on is deaf ears.... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Tuesday, July 27, 2010 6:29 PM To: NT System Admin Issues Subject: RE: Auditing in Windows 2008 and R2 what are folks doing? Have you looked in to using the Audit Collection Services piece of SCOM? I think ACS could be valuable for security event reporting and forensics use. -Malcolm From: James Rankin [mailto:kz2...@googlemail.com] Sent: Tuesday, July 27, 2010 15:41 To: NT System Admin Issues Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? I'm mainly interested in account lockouts, logons attempted under things like built-in administrator accounts, high numbers of logon failures, and any attempts to modify security policies and/or protected groups (such as local admins, domain admins, server ops, and the like). We've also got certain areas where file access is audited. I use SCOM to try and aggregate the events for me. This is quite handy, as it also monitors things like failed su to root on our ESX servers and other stuff outside of the Windows event logging arena. On 27 July 2010 20:15, Ziots, Edward <ezi...@lifespan.org> wrote: Hey gang, well I wanted to ask the group, what is everyone doing about their audit policies on Windows 2008 R2 for domain controllers or member servers. I have mapped out all the audit categories and sub-categories, and events, but I don't want the logs to turn into soup, so kinda wanted to see what others were doing for which categories and subcategories they turned on auditing for. Would be nice to bounce some ideas off about certain events. ( Already plowed through M$ site descriptions, the Microsoft Security Resource Kit and Randy Franklin Smith's Eventlog site) Feel free to post here, or if you like catch me offline, love to hear the feedback. After this its on to Firewall rules accordingly for the servers and either scripting or GPOing that out for a baseline. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
