Re: Keep admins off of client machines

Good point about the email notification. Kind of hard to go grab that
sucker!

Gregg Hill


"Ray Collins" <ray.collins@xxxxxxxxxxxxxxxxx> wrote in message
news:Ocu1mkSEGHA.3820@xxxxxxxxxxxxxxxxxxxxxxx
> yes he could, but if you have your auditing set correctly there will be
> an entry when he changed or disabled the settings then there will be
> entries after they are turned back on. It is not impossible (nothing ever
> is) to remove individual entries from the logs but it is extremely
> difficult.
>
> There are a number of products (including what is built into SBS) that can
> monitor the event logs and then do some action such as e-mail or page you.
> You could set monitoring events for specific security log events and have
> the system e-mail you immediately.
>
> As part of your overall security you would have auditing on computer room
> access and floor/building access. So you know who changed the auditing
> settings at what time, when they were turned back on and who was in the
> building. You didn't stop him but you know he was there and that is the
> important thing.
>
>
> HTH
>
>
> "Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
> news:O4kmcSNEGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
>> Thanks for the links! But if the person is knowledgeable, cannot he just
>> delete the setting you have made, does his snooping, then reset your
>> settings?
>>
>> Gregg Hill
>>
>>
>> "Ray Collins" <ray.collins@xxxxxxxxxxxxxxxxx> wrote in message
>> news:e1PweUdDGHA.412@xxxxxxxxxxxxxxxxxxxxxxx
>>> Turning off auditing can generate on audit event and you can create an
>>> auditing group and give it access to the security log while denying
>>> administrators access. Administrators are not as Omnipitent as you
>>> think, yes they may do something but you can track what they do.
>>>
>>>
>>>
>>> A couple of articles to get you started:
>>>
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bc9f1bed-1c85-413a-869e-98d467853978.mspx
>>>
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx
>>>
>>> http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
>>>
>>> By the way you can specify in Active Directory that specific accounts
>>> can only log onto certain machines so you can restrict the admins to
>>> only the servers and if they change the settings you catch them in the
>>> audit logs.
>>>
>>>
>>> HTH
>>>
>>>
>>> "Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
>>> news:OTEwCbbDGHA.1384@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Even if you audit, an admin who is determined can turn off auditing,
>>>> snoop around, then turn it back on, leaving no trace of the snooping.
>>>>
>>>> Gregg Hill
>>>>
>>>>
>>>> "Nick" <nickmirro@xxxxxxxxxxxxxx> wrote in message
>>>> news:u9oltmXDGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Well this is eye opening. The discussion is informative. The issue
>>>>> first came up due a ways back following an apparent pointless
>>>>> sharrepoint admin logon to a local laptop. A new profile was created
>>>>> under D&S. This was unsettling.
>>>>>
>>>>> I think the Audit route would be best. The admins do periodically
>>>>> need access to various machines, so we can't rely on inventorying
>>>>> profiles. Being I'm not an developer myself (though with admin
>>>>> privileges) how do I audit admin activity?
>>>>>
>>>>>
>>>>>
>>>>> "Nick" <nickmirro@xxxxxxxxxxxxxx> wrote in message
>>>>> news:urp8i3PDGHA.812@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> We have an SBS admin, a Sharepoint admin and 2 others who go between
>>>>>> our SBS and local Linux server. Those helping administer the servers
>>>>>> should not have access to client machines as they contain patient
>>>>>> records, proprietary applications, etc. How can we prevent transient
>>>>>> adminstrators with admin status from logging onto client machines
>>>>>> (unless essential) since those machines contain sensitive data?
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Keep admins off of client machines
    ... entry when he changed or disabled the settings then there will be entries ... monitor the event logs and then do some action such as e-mail or page you. ... As part of your overall security you would have auditing on computer room ... >> servers and if they change the settings you catch them in the audit logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems configuring security for services
    ... Note that to enable logging of access to files or registry settings, ... auditing settings on individual folders or registry keys in the NTFS ...
    (microsoft.public.win2000.security)
  • Re: Default Domain Controllers Policy reverts to previous settings
    ... I don't think it's a good idea to use the setting "Enforce Policy" for the DDP and the DDCP, if Auditing is defined it the DDP it will take precedence over all other Audit settings from any other GPO expect if a Policy is linked more closely to the object and also have the "Enforce Policy" flag set. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Can you audit file access within Sharepoint Services 3.0?
    ... you can't enable it with Windows Explorer nor can you enable it with any out of the box stsadm command. ... Maybe one of the SharePoint-specific management tools from Quest Software or AvePoint allows you to view those logs but I haven't checked. ... an interface to turn on/off auditing; ... view the audit records so you'd have to build that as well. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: IIS Lockdown - access denied securing PF
    ... > Well, I'm just guessing, but perhaps Exchange changed them, or perhaps the ... > enabling auditing of file access failure and then check the windows ... > Note that to enable logging of access to files or registry settings, ... > security properties in Windows Explorer or the REGEDT32 registry editor. ...
    (microsoft.public.inetserver.iis.security)