[logs] Auditing on Win2k Domain Controller

From: Tina Bird (tbird@precision-guesswork.com)
Date: Tue Oct 09 2001 - 13:06:01 PDT

  • Next message: Eric Fitzgerald: "RE: [logs] Microsoft best practices - Windows auditing"

    I finally figured it out!  Having worked with Win2k Professional
    and Windows NT, I thought I just needed to configure the Local
    Security Policy audit settings for the Win2k domain controller.
    But that's not true.  Here's what it took:
    
    Control Panel --> Administrative Tools
    
    Open "Active Directory Users and Computers"
    
    Select "Domain Controllers" - Go to the Actions toolbar item,
    and select "Properties"
    
    Go to the Group Policy Tab, and select "Default Domain
    Controllers Policy" (or whichever Domain Controllers Policy
    is used within your environment)
    
    Click on the "Edit" button.
    
    Then select Computer Configuration --> Windows Settings -->
    Security Settings --> Local Policies --> Audit Policy
    
    Put a checkmark in whichever audit policies you want to
    enable, close the window.  At this point I rebooted, but
    mostly because it was a Windows box, not because it told
    me to.  One of the documents I was reading yesterday said
    that without the reboot, it would take five minutes for
    the domain controller to notice its new policy.
    
    For a stand-alone system, you can perform the same task
    by going to the Control Panel, opening "Administrative
    Tools," Local Security Policy, Local Policies, Audit Policy.
    
    If the machine is a member of a domain but not a domain
    controller, the domain's audit policy takes precedence.
    
    Other notes on audit categories and event descriptions are
    available at 
    
    http://kubarb.phsx.ukans.edu/~tbird/windows-logging.html
    
    which will shortly be linked from the main Log Analysis 
    site.
    
    *whew* tbird
    
    "I was being patient, but it took too long." - 
                                    Buffy the Vampire Slayer
    
    LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
    VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 15:26:21 PDT