RE: [ActiveDir] Service Account Logging/Tracking

2006-04-23 Thread joe 



If you just care about interactive auths, you can use a 
logon script to write the logon time/date/wherefrom to some file or DB. If you 
need every type of auth (file share connection, LDAP binds, runas, etc.), then 
you will need to enable auditing and pull the logs from all 
DCs.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
(ITS)Sent: Friday, April 21, 2006 10:34 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] Service Account 
Logging/Tracking


Whats the recommended method for 
tracking service account logins? We keep a pretty tight reign on service 
accounts and their passwords, but in some cases we have to provide the passwords 
to our customers (in this case, customers are other government organizations 
that we support) for use in their applications. Essentially we just want to know 
if someone logs into a PC or a server with a service account. We dont want a 
bunch of people using a service account to gain access to resources, especially 
if its an account with elevated privileges.

Thanks,

Justin 
ClayITS 
Enterprise Services 
Metropolitan 
Government of Nashville and Davidson County Howard School 
Building 
Phone: 
(615) 880-2573


  
  
ITS ENTERPRISE SERVICES 
  EMAIL NOTICEThe information contained in this email and any 
  attachments is confidential and may be subject to copyright or other 
  intellectual property protection. If you are not the intended recipient, 
  you are not authorized to use or disclose this information, and we request 
  that you notify us by reply mail or telephone and delete the original 
  message from your mail 
system.

Re: [ActiveDir] Service Account Logging/Tracking

2006-04-22 Thread Matheesha Weerasinghe 
eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@On 4/22/06, mike kline 

[EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. 


When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean.
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx

We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. 

Once you have the events in the log you can search through them using a tool like Eventcomb

http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en
Eventcomb can be found within this download. 

You can search for EventID 528 and specify the service account to narrow the search.

When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. 

Thanks
Mike
On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED]
 wrote:



What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges.


Thanks,

Justin Clay


ITS Enterprise Services


 Metropolitan Government of Nashville and Davidson County
 Howard School Building


 Phone: (615) 880-2573




ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

Re: [ActiveDir] Service Account Logging/Tracking

2006-04-22 Thread Matheesha Weerasinghe 
My bad. Just saw the option to check saved logs too . SorryM@On 4/22/06, Matheesha Weerasinghe [EMAIL PROTECTED]
 wrote:eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. 
M@On 4/22/06, 
mike kline 

[EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. 


When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean.
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx

We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. 

Once you have the events in the log you can search through them using a tool like Eventcomb

http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en
Eventcomb can be found within this download. 

You can search for EventID 528 and specify the service account to narrow the search.

When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. 

Thanks
Mike
On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED]
 wrote:



What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges.


Thanks,

Justin Clay



ITS Enterprise Services



 Metropolitan Government of Nashville and Davidson County
 Howard School Building



 Phone: (615) 880-2573




ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

Re: [ActiveDir] Service Account Logging/Tracking

2006-04-22 Thread Kamlesh Parmar 
I will add something... logparser...amazing utility...(if you know little bit of scripting)http://www.logparser.comlogparser can be scripted... morover you can use parse the description field and extract the exact detail..and if you know how to use the template option of it..it could create nice html report too. and ofcourse once file is ready it can be picked up and sent to admins thru mail.
-Kamlesh~Be the change you want to see in the World~On 4/22/06, 
Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@
On 4/22/06, mike kline 


[EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. 


When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean.
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx

We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. 

Once you have the events in the log you can search through them using a tool like Eventcomb

http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en
Eventcomb can be found within this download. 

You can search for EventID 528 and specify the service account to narrow the search.

When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. 

Thanks
Mike
On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED]
 wrote:



What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges.


Thanks,

Justin Clay



ITS Enterprise Services



 Metropolitan Government of Nashville and Davidson County
 Howard School Building



 Phone: (615) 880-2573




ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.





--

[ActiveDir] Service Account Logging/Tracking

2006-04-21 Thread Clay, Justin \(ITS\) 








Whats the recommended method for tracking service
account logins? We keep a pretty tight reign on service accounts and their
passwords, but in some cases we have to provide the passwords to our customers (in
this case, customers are other government organizations that we support) for
use in their applications. Essentially we just want to know if someone logs
into a PC or a server with a service account. We dont want a bunch of
people using a service account to gain access to resources, especially if its
an account with elevated privileges.



Thanks,



Justin
Clay
ITS Enterprise Services 
Metropolitan Government
of Nashville and Davidson County 
 Howard School Building 
Phone: (615) 880-2573











ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.