Re: ADAM Security Logging
- From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Dec 2008 08:28:09 -0800
A question about policies limiting search result size comes up from time to time. From my perspective, such policy makes little sense, because any search can be split into a set of smaller searches. For example, if you want to prevent somebody from enumerating all objects in a partition, they can always run a series of searches:
(name>=a) && (name<b)
(name>=b) && (name<c)
....
(name>=z)
That will end up returning the complete resultset anyway.
--
Dmitri Gavrilov
SDE, Exchange
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
"drm" <don.mai@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:efba7e93-22b0-4cdb-b5dc-1cc15bc11de1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Dec 23, 7:43 pm, "Lee Flight" <l...@xxxxxxxxxxxxxxx> wrote:
Hi
I do not think that the Field Engineering event log entries will populate
the User column of the ADAM instance event log for a native ADAM
user - I think they need a windows security principal (context) for that.
To get a security log audit when a native ADAM user connects to
an instance you need "Audit account logon events" enabled in
the server security policy of the server housing the instance.
However you would then have to try and correlate those entries
to the Field Engineering logging.
Beyond that options are directory services audit by setting a SACL
but that would audit all accesses with no regard to thresholds and
off the top of my head I cannot recall the status of audit for native
ADAM users.
Further input from me will likely be delayed due to holidays,
Lee Flight
"drm" <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:112b1028-dd7a-4d4f-b790-077345d0719c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> The applications in our location that use our ADAM directories should
> return a limited number (less than 20) of entries per query. We would
> like to log every query that exceeds that amount. By changing the
> Field Engineering Diagnostics setting to 5 and adding a Expensive
> Search Results Threshold Parameter, I was able to log the query
> information. This works great when an AD account ran the query, since
> the account shows up next to User: in the log entry. Unfortunately,
> no user information appears when the query is ran using an ADAM
> account. I tried changing different parameters to get the login/
> binding information to appear in the Event Logs with no luck. Is
> there a special parameter that I need to add to create a log entry
> whenever someone authenticates to an ADAM directory with an ADAM
> account? Is there some other way to determine who submitted the query?- > Hide quoted text -
- Show quoted text -
Thanks. Unfortunately, I need someone on our server management team
to change the domain security policy for our ADAM servers and this
will not happen until next week.
A not-to-distant future project involves using SEIM tools. Hopefully
I can use that to correlate the security logs and the Field
Engineering logs or at least limit the search.
.
- References:
- ADAM Security Logging
- From: drm
- Re: ADAM Security Logging
- From: Lee Flight
- Re: ADAM Security Logging
- From: drm
- ADAM Security Logging
- Prev by Date: Re: AD issues
- Next by Date: Re: ADAM Security Logging
- Previous by thread: Re: ADAM Security Logging
- Next by thread: Re: ADAM Security Logging
- Index(es):
Relevant Pages
|
