[ActiveDir] OT: DNS entry
We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
RE: [ActiveDir] OT: DNS entry
If the zone is stored in BIND (text) format then you'll
struggle.
If it's stored in AD and auditing is enabled, then an event
should exist in the Security event log on the DC which received the delete
request.
Do you have an enterprise security monitoring
system?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James
CarterSent: 04 August 2006 12:10To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS
entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows 2003
R2 server/domain
thanks
JAmes
Do you Yahoo!?Next-gen email? Have it all with the all-new
Yahoo! Mail Beta.PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] OT: DNS entry
If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul - Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
Re: [ActiveDir] OT: DNS entry
hey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul - Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\>
RE: [ActiveDir] OT: DNS entry
That's a huge subject, a useful link is
here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain
NC)
2. Right click, choose Properties, then select the Security
tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select "Apply onto" and choose "dnsZone
objects"
6. Select 'Write all properties' Failed and 'Write all
properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type
dnsNode
9. Click OK, OK to close property
sheets
The above will audit all writes to zone objects and DNS
records which are stored in AD itself.
As stated previously, if the zones are stored as text
files, then there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: 05 August 2006 06:25To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS
entry
hey guys,
could you point me to an article on how to setup audting for dns
modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering whats
changed..
On 8/4/06, Paul
Williams <[EMAIL PROTECTED]>
wrote:
If you've got the necessary auditing enabled in
your domain, and you had auditing ACEs configured on the DNS zone (location
depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you
can. But you'll have to search each DCs security event log for this
info.
Otherwise, you can't get this info. You
can check the whenChanged attribute on the tombstoned record for a
rough idea of when the deletion occurred and try and move from there by
looking at logon events, again if you have auditing enabled.
If you're not using AD-Integrated DNS, then
none of the above will really help.
--Paul
- Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04, 2006 12:09
PM
Subject: [ActiveDir] OT: DNS entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows
2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
--
HBooGz:\> PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] OT: DNS entry
Neil, Are there any risks by carrying out your change listed below or is it a straight forward procedure. I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced? We use MOM here, is this something I could use? thanks Jim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx I'll give steps to audit DNS objects: using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets The above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entryhey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats
changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from
there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul- Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447
2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta.
RE: [ActiveDir] OT: DNS entry
Neil,
Are there any risks by carrying out your change listed below or is it a
straight forward procedure.[Neil Ruston] The steps merely add SACL entries to DNS
objects - that will certainly result in more security events and a slight
overhead on the DCs but you need to weigh that against the risk of *not*
auditing this type of change. As usual, it depends upon your environment and
your requirements.
I don't think I have this enabled, if I do would that mean in the future if
a DNS record is deleted this can be traced?[Neil
Ruston] Yes, if the zone is stored in AD.
We use MOM here, is this something I could use?[Neil
Ruston] MOM is aimed at systems monitoring whilst this thread deals with
security monitoring. MS don't have an app in that space (yet) altho other
vendors do. NetPro, NetIQ and Quest are the usual suspects here. These
vendors offer tools that help with tracing changes (or 'forensic analysis', to
use the correct parlance :)
thanks
Jim[EMAIL PROTECTED] wrote:
That's a huge subject, a useful link is
here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain
NC)
2. Right click, choose Properties, then select the
Security tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group
Everyone
5. Select "Apply onto" and choose "dnsZone
objects"
6. Select 'Write all properties' Failed and 'Write
all properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type
dnsNode
9. Click OK, OK to close property
sheets
The above will audit all writes to zone objects and DNS
records which are stored in AD itself.
As stated previously, if the zones are stored as text
files, then there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: 05 August 2006 06:25To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS
entry
hey guys,
could you point me to an article on how to setup audting for dns
modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering whats
changed..
On 8/4/06, Paul
Williams <[EMAIL PROTECTED]>
wrote:
If you've got the necessary auditing enabled
in your domain, and you had auditing ACEs configured on the DNS zone
(location depends, generally you'd set it on CN=MicrosoftDNS folder) then
yes, you can. But you'll have to search each DCs security event log
for this info.
Otherwise, you can't get this info. You
can check the whenChanged attribute on the tombstoned record for a
rough idea of when the deletion occurred and try and move from there by
looking at logon events, again if you have auditing enabled.
If you're not using AD-Integrated DNS, then
none of the above will really help.
--Paul
- Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04, 2006 12:09
PM
Subject: [ActiveDir] OT: DNS
entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows
2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
-- HBooGz:\>
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related fi
RE: [ActiveDir] OT: DNS entry
Neil, thanks for your response, would you say the best way for me to view the audits would be from the Event Viewer console? Jim[EMAIL PROTECTED] wrote: Neil, Are there any risks by carrying out your change listed below or is it a straight forward procedure.[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not*
auditing this type of change. As usual, it depends upon your environment and your requirements. I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?[Neil Ruston] Yes, if the zone is stored in AD. We use MOM here, is this something I could use?[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct
parlance :) thanks Jim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx I'll give steps to audit DNS objects: using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets The above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entryhey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul- Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS
entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b)
the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation,
solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Re
RE: [ActiveDir] OT: DNS entry
With large number of events registered in security log, it
will be more efficient if you use EventComb to extract the relevant log that
you need.
Regards,
Ai Chung
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter
Sent: Tuesday, August 08, 2006
12:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DNS
entry
Neil,
thanks for your response, would you say the best way for me to view the
audits would be from the Event Viewer console?
Jim
[EMAIL PROTECTED]
wrote:
Neil,
Are there any risks by carrying out your change listed below or is it a
straight forward procedure.
[Neil Ruston] The steps merely add SACL
entries to DNS objects - that will certainly result in more security events and
a slight overhead on the DCs but you need to weigh that against the risk of
*not* auditing this type of change. As usual, it depends upon your environment
and your requirements.
I don't think I have this enabled, if I do would that mean in the
future if a DNS record is deleted this can be traced?
[Neil Ruston] Yes, if the zone is stored in
AD.
We use MOM here, is this something I could use?
[Neil Ruston] MOM is aimed at systems
monitoring whilst this thread deals with security monitoring. MS don't have an
app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the
usual suspects here. These vendors offer tools that help with tracing
changes (or 'forensic analysis', to use the correct parlance :)
thanks
Jim
[EMAIL PROTECTED]
wrote:
That's a huge subject, a useful link is
here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System
(in the domain NC)
2. Right click, choose Properties, then
select the Security tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select "Apply onto" and
choose "dnsZone objects"
6. Select 'Write all properties'
Failed and 'Write all properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type
dnsNode
9. Click OK, OK to close property sheets
The above will audit all writes to zone
objects and DNS records which are stored in AD itself.
As stated previously, if the zones are
stored as text files, then there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: 05 August 2006 06:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS
entry
hey guys,
could you point me to an article on how to setup audting for dns
modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering whats changed..
On 8/4/06, Paul
Williams <[EMAIL PROTECTED]>
wrote:
If you've got the necessary auditing enabled in your
domain, and you had auditing ACEs configured on the DNS zone (location depends,
generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But
you'll have to search each DCs security event log for this info.
Otherwise, you can't get this info. You can check
the whenChanged
attribute on the tombstoned record for a rough idea of when the deletion
occurred and try and move from there by looking at logon events, again if you
have auditing enabled.
If you're not using AD-Integrated DNS, then none of the
above will really help.
--Paul
- Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04,
2006 12:09 PM
Subject: [ActiveDir] OT:
DNS entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is a Windows
2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
--
HBooGz:\>
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) t
RE: [ActiveDir] OT: DNS entry
I’ve been looking to do this
too… but specifically for records w/out a TTL. In other words, I want to
capture static records only since dynamic will constantly change. Any ideas?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, August 07, 2006 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DNS entry
Neil,
Are there any risks by carrying out your change listed below
or is it a straight forward procedure.
[Neil
Ruston] The steps merely add SACL entries to DNS objects - that will
certainly result in more security events and a slight overhead on the DCs but
you need to weigh that against the risk of *not* auditing this type of change.
As usual, it depends upon your environment and your requirements.
I don't think I have this enabled, if I do would that mean
in the future if a DNS record is deleted this can be traced?
[Neil
Ruston] Yes, if the zone is stored in AD.
We use MOM here, is this something I could use?
[Neil
Ruston] MOM is aimed at systems monitoring whilst this thread deals with
security monitoring. MS don't have an app in that space (yet) altho other
vendors do. NetPro, NetIQ and Quest are the usual suspects here. These
vendors offer tools that help with tracing changes (or 'forensic analysis', to
use the correct parlance :)
thanks
Jim
[EMAIL PROTECTED]
wrote:
That's a huge subject, a useful link is here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll give steps to audit DNS objects:
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC)
2. Right click, choose Properties, then select the Security tab and
click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select "Apply onto" and choose "dnsZone
objects"
6. Select 'Write all properties' Failed and 'Write all
properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type dnsNode
9. Click OK, OK to close property sheets
The above will audit all writes to zone objects and DNS records
which are stored in AD itself.
As stated previously, if the zones are stored as text files, then
there is little that can be audited.
hth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: 05 August 2006 06:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS entry
hey guys,
could you point me to an article on how to setup audting for
dns modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering
whats changed..
On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote:
If
you've got the necessary auditing enabled in your domain, and you had auditing
ACEs configured on the DNS zone (location depends, generally you'd set it on
CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each
DCs security event log for this info.
Otherwise,
you can't get this info. You can check the whenChanged attribute on the tombstoned
record for a rough idea of when the deletion occurred and try and move from
there by looking at logon events, again if you have auditing enabled.
If
you're not using AD-Integrated DNS, then none of the above will really help.
--Paul
-
Original Message -
From: James Carter
To: ActiveDir@mail.activedir.org
Sent: Friday, August 04,
2006 12:09 PM
Subject: [ActiveDir] OT: DNS
entry
We had a static Server DNS entry deleted over the weekend.
Is there anyway to find out who deleted this entry? This is
a Windows 2003 R2 server/domain
thanks
JAmes
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
--
HBooGz:\>
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or
(b) the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied
RE: [ActiveDir] OT: DNS entry
At a high level, I'd look to create a filter within the sec mon tool, such that objects updated by their owners were trapped in a different to those not changed by the owner. I'd ensure the tool used / purchased was capable of meeting any requirements. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 08 August 2006 05:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DNS entry I’ve been looking to do this too… but specifically for records w/out a TTL. In other words, I want to capture static records only since dynamic will constantly change. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, August 07, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DNS entry Neil, Are there any risks by carrying out your change listed below or is it a straight forward procedure.[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not* auditing this type of change. As usual, it depends upon your environment and your requirements. I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?[Neil Ruston] Yes, if the zone is stored in AD. We use MOM here, is this something I could use?[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct parlance :) thanks Jim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx I'll give steps to audit DNS objects: using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets The above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entry hey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul - Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or t
RE: [ActiveDir] OT: DNS entry
er, no :) if you have more than 1 DC, then the task becomes too convoluted. Use a 3rd party sec mon and auditing tool. I mentioned several vendors below. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: 07 August 2006 17:08To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DNS entry Neil, thanks for your response, would you say the best way for me to view the audits would be from the Event Viewer console? Jim[EMAIL PROTECTED] wrote: Neil, Are there any risks by carrying out your change listed below or is it a straight forward procedure.[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not* auditing this type of change. As usual, it depends upon your environment and your requirements. I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?[Neil Ruston] Yes, if the zone is stored in AD. We use MOM here, is this something I could use?[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct parlance :) thanks Jim[EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx I'll give steps to audit DNS objects: using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets The above will audit all writes to zone objects and DNS records which are stored in AD itself. As stated previously, if the zones are stored as text files, then there is little that can be audited. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: 05 August 2006 06:25To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS entry hey guys, could you point me to an article on how to setup audting for dns modifications and overall domain auditing ? i've done auditing on the desktop level, just wondering whats changed.. On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul - Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of
