PDA

View Full Version : Monitor the Adminstrator

Mail Man
Hi 2 Security concerns
First:-
How to make sure Even your Administrator
can not alter and Log files and Audit Policy
Second:-
any good tool which can easily track changes in your Active Directory
like user has been add to or remove from group
permissions has been modified in Folders or Files


Thanks 4 your Time& effort
Linda
Hi, I can not help you, but just wanted to ask a question,
if you do not mind. I have never used a newsgroup before
and was reading about them and read that you have to sign
up for them and configure your email to accept newsgroup
messages. While on this MS site, I do not see anywhere
that says you have to sign up or do anything besides click
on "post" or "reply" etc. I wrote to someone else earlier
and got the mail back as undeliverable. Then I noticed
that the person, like many others, did not put their email
address on their post like you did. So, I am guessing
that if there is no email address, the person replies to
the post and it looks like a new post on the screen. If
an address is given the replier can respond the same way
or email the person privately. Am I correct in my
assumptions? Is there anything else I should know about
this? If you have posted many times before, do you
usually get responses? Thanks for helping, I appreciate
it! Linda
>-----Original Message-----
>Hi 2 Security concerns
>First:-
>How to make sure Even your Administrator
>can not alter and Log files and Audit Policy
>Second:-
>any good tool which can easily track changes in your
Active Directory
>like user has been add to or remove from group
>permissions has been modified in Folders or Files
>
>
>Thanks 4 your Time& effort
>.
>
Steven L Umbach
You can't realistically restrict an administrator. You can monitor events by
auditing, though an administrator can clear the security log which in itself will
leave an event, and a malicious administrator could modify the security log. While it
is a good idea to audit, you really need to trust people that are administrators and
in W2K for AD, delegation can be used to do most things without making a user an
administrator.

See the link below on auditing. For starts it is a good idea to at least audit
account logon events and account management on domain controllers, logon events on
servers and domain workstations. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

"Mail Man" wrote in message
news:2753502d.0407130101.6fbc8114@posting.google.com...
> Hi 2 Security concerns
> First:-
> How to make sure Even your Administrator
> can not alter and Log files and Audit Policy
> Second:-
> any good tool which can easily track changes in your Active Directory
> like user has been add to or remove from group
> permissions has been modified in Folders or Files
>
>
> Thanks 4 your Time& effort


Mail Man
Hi Linda
this is not MS Site it a Google news Group
and for me when I need to post it ask me to enter my email and
password

I Tried to put fake email to avoid spam but it did not work beacuse
they send send you verification link to your email
hope that answer your question
thanks for passing bye

"Linda" wrote in message news:<2b21401c468bd$1d1b90f0$a601280a@phx.gbl>...
> Hi, I can not help you, but just wanted to ask a question,
> if you do not mind. I have never used a newsgroup before
> and was reading about them and read that you have to sign
> up for them and configure your email to accept newsgroup
> messages. While on this MS site, I do not see anywhere
> that says you have to sign up or do anything besides click
> on "post" or "reply" etc. I wrote to someone else earlier
> and got the mail back as undeliverable. Then I noticed
> that the person, like many others, did not put their email
> address on their post like you did. So, I am guessing
> that if there is no email address, the person replies to
> the post and it looks like a new post on the screen. If
> an address is given the replier can respond the same way
> or email the person privately. Am I correct in my
> assumptions? Is there anything else I should know about
> this? If you have posted many times before, do you
> usually get responses? Thanks for helping, I appreciate
> it! Linda
> >-----Original Message-----
> >Hi 2 Security concerns
> >First:-
> >How to make sure Even your Administrator
> >can not alter and Log files and Audit Policy
> >Second:-
> >any good tool which can easily track changes in your
> Active Directory
> >like user has been add to or remove from group
> >permissions has been modified in Folders or Files
> >
> >
> >Thanks 4 your Time& effort
> >.
> >
Mail Man
Hi Steven
Thanks for your help and if I understood you correctly
the Admin password must be kept with non IT person
after we delegated all activity to be done in AD to other accounts


"Steven L Umbach" wrote in message news:...
> You can't realistically restrict an administrator. You can monitor events by
> auditing, though an administrator can clear the security log which in itself will
> leave an event, and a malicious administrator could modify the security log. While it
> is a good idea to audit, you really need to trust people that are administrators and
> in W2K for AD, ion can be used to do most things without making a user an
> administrator.
>
> See the link below on auditing. For starts it is a good idea to at least audit
> account logon events and account management on domain controllers, logon events on
> servers and domain workstations. --- Steve
>
> http://www.microsoft.com/technet/security/guidance/secmod144.mspx
>
> "Mail Man" wrote in message
> news:2753502d.0407130101.6fbc8114@posting.google.com...
> > Hi 2 Security concerns
> > First:-
> > How to make sure Even your Administrator
> > can not alter and Log files and Audit Policy
> > Second:-
> > any good tool which can easily track changes in your Active Directory
> > like user has been add to or remove from group
> > permissions has been modified in Folders or Files
> >
> >
> > Thanks 4 your Time& effort
Torgeir Bakken \(MVP\)
Mail Man wrote:

> Hi Linda
> this is not MS Site it a Google news Group
> and for me when I need to post it ask me to enter my email and
> password
>
> I Tried to put fake email to avoid spam but it did not work beacuse
> they send send you verification link to your email
> hope that answer your question
> thanks for passing bye
Hi

Actually, it is a Microsoft newsgroup hosted on Microsoft servers (but
replicated with other non-Microsoft news servers around the world).

It is only when posting through Google you need a valid e-mail address.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx
Lanwench [MVP - Exchange]
Hire only admins you can trust.
Enable security auditing.
Set up both "regular user" and "admin equivalent" passwords for all network
admins, and make sure they use their regular user accounts for most of their
work.
Don't give anyone the 'real' domain admin credentials.

Mail Man wrote:
> Hi 2 Security concerns
> First:-
> How to make sure Even your Administrator
> can not alter and Log files and Audit Policy
> Second:-
> any good tool which can easily track changes in your Active Directory
> like user has been add to or remove from group
> permissions has been modified in Folders or Files
>
>
> Thanks 4 your Time& effort


Steven L Umbach
What I mean is that it is best to keep the number of administrators to a minimum of
trusted people and take advantage of AD delegation to do tasks that can be done by a
non administrator instead of giving that person admin powers. I don't necessarily
agree with keeping the admin passwords with non IT people as their will be times
where that will be a problem and you need to have a few people you can trust with the
domain. --- Steve


"Mail Man" wrote in message
news:2753502d.0407132129.156aaf90@posting.google.com...
> Hi Steven
> Thanks for your help and if I understood you correctly
> the Admin password must be kept with non IT person
> after we delegated all activity to be done in AD to other accounts
>
>
> "Steven L Umbach" wrote in message
news:...
> > You can't realistically restrict an administrator. You can monitor events by
> > auditing, though an administrator can clear the security log which in itself will
> > leave an event, and a malicious administrator could modify the security log.
While it
> > is a good idea to audit, you really need to trust people that are administrators
and
> > in W2K for AD, ion can be used to do most things without making a user an
> > administrator.
> >
> > See the link below on auditing. For starts it is a good idea to at least audit
> > account logon events and account management on domain controllers, logon events
on
> > servers and domain workstations. --- Steve
> >
> > http://www.microsoft.com/technet/security/guidance/secmod144.mspx
> >
> > "Mail Man" wrote in message
> > news:2753502d.0407130101.6fbc8114@posting.google.com...
> > > Hi 2 Security concerns
> > > First:-
> > > How to make sure Even your Administrator
> > > can not alter and Log files and Audit Policy
> > > Second:-
> > > any good tool which can easily track changes in your Active Directory
> > > like user has been add to or remove from group
> > > permissions has been modified in Folders or Files
> > >
> > >
> > > Thanks 4 your Time& effort