Re: Keep admins off of client machines

yes he could, but if you have your auditing set correctly there will be an
entry when he changed or disabled the settings then there will be entries
after they are turned back on. It is not impossible (nothing ever is) to
remove individual entries from the logs but it is extremely difficult.

There are a number of products (including what is built into SBS) that can
monitor the event logs and then do some action such as e-mail or page you.
You could set monitoring events for specific security log events and have
the system e-mail you immediately.

As part of your overall security you would have auditing on computer room
access and floor/building access. So you know who changed the auditing
settings at what time, when they were turned back on and who was in the
building. You didn't stop him but you know he was there and that is the
important thing.


HTH


"Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
news:O4kmcSNEGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks for the links! But if the person is knowledgeable, cannot he just
> delete the setting you have made, does his snooping, then reset your
> settings?
>
> Gregg Hill
>
>
> "Ray Collins" <ray.collins@xxxxxxxxxxxxxxxxx> wrote in message
> news:e1PweUdDGHA.412@xxxxxxxxxxxxxxxxxxxxxxx
>> Turning off auditing can generate on audit event and you can create an
>> auditing group and give it access to the security log while denying
>> administrators access. Administrators are not as Omnipitent as you
>> think, yes they may do something but you can track what they do.
>>
>>
>>
>> A couple of articles to get you started:
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bc9f1bed-1c85-413a-869e-98d467853978.mspx
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx
>>
>> http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
>>
>> By the way you can specify in Active Directory that specific accounts can
>> only log onto certain machines so you can restrict the admins to only the
>> servers and if they change the settings you catch them in the audit logs.
>>
>>
>> HTH
>>
>>
>> "Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
>> news:OTEwCbbDGHA.1384@xxxxxxxxxxxxxxxxxxxxxxx
>>> Even if you audit, an admin who is determined can turn off auditing,
>>> snoop around, then turn it back on, leaving no trace of the snooping.
>>>
>>> Gregg Hill
>>>
>>>
>>> "Nick" <nickmirro@xxxxxxxxxxxxxx> wrote in message
>>> news:u9oltmXDGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Well this is eye opening. The discussion is informative. The issue
>>>> first came up due a ways back following an apparent pointless
>>>> sharrepoint admin logon to a local laptop. A new profile was created
>>>> under D&S. This was unsettling.
>>>>
>>>> I think the Audit route would be best. The admins do periodically need
>>>> access to various machines, so we can't rely on inventorying profiles.
>>>> Being I'm not an developer myself (though with admin privileges) how do
>>>> I audit admin activity?
>>>>
>>>>
>>>>
>>>> "Nick" <nickmirro@xxxxxxxxxxxxxx> wrote in message
>>>> news:urp8i3PDGHA.812@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> We have an SBS admin, a Sharepoint admin and 2 others who go between
>>>>> our SBS and local Linux server. Those helping administer the servers
>>>>> should not have access to client machines as they contain patient
>>>>> records, proprietary applications, etc. How can we prevent transient
>>>>> adminstrators with admin status from logging onto client machines
>>>>> (unless essential) since those machines contain sensitive data?
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Too much auditing?
    ... Just like any security setting, it is typically unproductive to just pick ... You need to examine the capabilities of audit, ... If you log everything, set your logs to a much larger size, such as 64MB ... Failure auditing is not useful for most people, ...
    (microsoft.public.win2000.security)
  • Re: Can you audit file access within Sharepoint Services 3.0?
    ... you can't enable it with Windows Explorer nor can you enable it with any out of the box stsadm command. ... Maybe one of the SharePoint-specific management tools from Quest Software or AvePoint allows you to view those logs but I haven't checked. ... an interface to turn on/off auditing; ... view the audit records so you'd have to build that as well. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Can you audit file access within Sharepoint Services 3.0?
    ... server instead of WSS and enable security audting on the file server if we ... tools from Quest Software or AvePoint allows you to view those logs but I ... an interface to turn on/off auditing; ... view the audit records so you'd have to build that as well. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Problems configuring security for services
    ... Note that to enable logging of access to files or registry settings, ... auditing settings on individual folders or registry keys in the NTFS ...
    (microsoft.public.win2000.security)
  • Re: Keep admins off of client machines
    ... but if you have your auditing set correctly there will be ... > monitor the event logs and then do some action such as e-mail or page you. ... > As part of your overall security you would have auditing on computer room ... > settings at what time, when they were turned back on and who was in the ...
    (microsoft.public.windows.server.sbs)