How do you audit your systems?

R

Ross

Hi everyone,

I'm just looking for some advice from everyone here on what kind of events
you guys audit? We have a distributed IT team and more often than not if
someone fails to follow change control proceedure then it's difficult to tell
what change has been made and the logs aren't always that useful. So my
question is what kind of things do your enterprises audit? For example,
changes to group policy. At what level? For example, 'default domain policy'
has been changed or 'this particular policy' has been changed. How do you
aggregate that information? For example, proactively through SCOM 07 or MOM
or retroactively via event manager's logs.

Thanks in advance for your suggestions.

Best wishes,

Ross.
 
T

Tim Starid

I think your looking in the wrong direction. I recommend implimenting a
better change control procedure that people will follow. Also limiting access
to the servers often helps, if you have 20 IT people, make 4-5 have access to
the box, that way it's easier to track down who didnt follow procedure and to
find out what they did. It's also unlikely that 5 people will go on vacation
or get hit by a bus at the same time.

"Ross" wrote:

> Hi everyone,
>
> I'm just looking for some advice from everyone here on what kind of events
> you guys audit? We have a distributed IT team and more often than not if
> someone fails to follow change control proceedure then it's difficult to tell
> what change has been made and the logs aren't always that useful. So my
> question is what kind of things do your enterprises audit? For example,
> changes to group policy. At what level? For example, 'default domain policy'
> has been changed or 'this particular policy' has been changed. How do you
> aggregate that information? For example, proactively through SCOM 07 or MOM
> or retroactively via event manager's logs.
>
> Thanks in advance for your suggestions.
>
> Best wishes,
>
> Ross.
 
R

Ross

Hi Tim,

Thanks for your reply. I take your point about limiting access to the
servers as much as possible, and that would certainly be a good starting
point. Internally we tend to follow the change control pretty well (although
it could be made easier, and I'm sure then people would use it more often for
smaller changes.) The big problem at the moment is that we work with a couple
of third party companies who provide 24/7 support for the servers (we're
strictly 9-5 guys!) and also do proactives on some of our servers. It helps
ease the load with so many servers dotted around the country, but
unfortunately the consultants can be pretty poor about using the CCF and will
often tweak something they shouldn't.

Now of course technically that comes down to enforcing our proceedures
better but as you know there's the technical way to do something, and then
there's the politically correct way!

I think limiting access internally, especially to things like Group Policy
would be a good start though and should certainly improve things. How do you
do your change control? Does it get sent through to a named person, or a
technical panel?

Thanks for the advice, greatly appreciated.

Best wishes,

Ross.


"Tim Starid" wrote:

> I think your looking in the wrong direction. I recommend implimenting a
> better change control procedure that people will follow. Also limiting access
> to the servers often helps, if you have 20 IT people, make 4-5 have access to
> the box, that way it's easier to track down who didnt follow procedure and to
> find out what they did. It's also unlikely that 5 people will go on vacation
> or get hit by a bus at the same time.
>
> "Ross" wrote:
>
> > Hi everyone,
> >
> > I'm just looking for some advice from everyone here on what kind of events
> > you guys audit? We have a distributed IT team and more often than not if
> > someone fails to follow change control proceedure then it's difficult to tell
> > what change has been made and the logs aren't always that useful. So my
> > question is what kind of things do your enterprises audit? For example,
> > changes to group policy. At what level? For example, 'default domain policy'
> > has been changed or 'this particular policy' has been changed. How do you
> > aggregate that information? For example, proactively through SCOM 07 or MOM
> > or retroactively via event manager's logs.
> >
> > Thanks in advance for your suggestions.
> >
> > Best wishes,
> >
> > Ross.
 
J

Jon Holvoet

If you are using MOM, try the Secure vantage pack. Easy to define custom
queries to monitor and log, and a lot easier to skip through a lot of logs:

http://www.akcsl.com/Default.aspx?tabid=84

And for more information about event logs, I refer to a post I made about a
week ago:

Hello,


I used the "Security Monitoring and Attack Detection Planning Guide" from
technet to implement and better understand this. A lot of reading, but a
real aid in determining what to monitor and what not.
The URL is :
http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx

And as an external source I can also advice
http://www.ultimatewindowssecurity.com/
They have the Windows Server 2003 Security log revealed, which is a great
work for a deeper understanding, and even offer multimedia training.
Bad part is, they aren't free, but the good part is, they are not expensive
at all.

First source should definitely get you started, and the second can be a
handy add-on if you want to dig deeper.


Greets,
Click to expand...

--

Jon Holvoet
MCSA / MCSE Security
Comptia Security+
CISSP


"Ross" <Ross@discussions.microsoft.com> wrote in message
news:B7022D4C-0985-4F02-BAA7-FB643D6FE07B@microsoft.com...
> Hi everyone,
>
> I'm just looking for some advice from everyone here on what kind of events
> you guys audit? We have a distributed IT team and more often than not if
> someone fails to follow change control proceedure then it's difficult to
> tell
> what change has been made and the logs aren't always that useful. So my
> question is what kind of things do your enterprises audit? For example,
> changes to group policy. At what level? For example, 'default domain
> policy'
> has been changed or 'this particular policy' has been changed. How do you
> aggregate that information? For example, proactively through SCOM 07 or
> MOM
> or retroactively via event manager's logs.
>
> Thanks in advance for your suggestions.
>
> Best wishes,
>
> Ross.
 
You must log in or register to reply here.

Similar threads

R
Windows Server 2025 Secured-core Server
Replies
0
Views
31
RoySasabe
R
C
I think one of the other Miscrosoft accounts of mine was hacked and It's been too long that I can not recovery it by myself. What should I do now??
Replies
0
Views
36
ChuyeZhang
C
C
I think one of the other Miscrosoft accounts of mine was hacked and It's been too long that I can not recovery it by myself. What should I do now??
Replies
0
Views
34
ChuyeZhang
C
S
  • Article
Microsoft Surface security: Keeping you protected
Replies
0
Views
56
Scott Fudally, VP Surface Development
S
N
  • Article
How to unlock new experiences on your Copilot+ PC
Replies
0
Views
45
Nicci Trovinger
N
Back
Top Bottom