As you can see with two of my servers (which also happen to be the two domain controllers), the security audits are quite lacking:
On the other hand, you have my db server which is getting massive hits:
I'm not quite sure why all the hits. In the past, it's come from other users. Something I will surely investigate. However, right now, the plan's to get unsuccessful and successful logon on attempts onto domain computers logged!
Now for some more excitement, a snapshot of my current AD setup and GP links:
Note that the test OU is for, well, testing purposes. I use an XPSP2 VM to test my user-applied GP policies.
Well, looks like I somewhat failed at life. Looking at gpedit.msc:
I changed "Audit account logon attempts," but it seems that didn't get the right result. All I got in event viewer was access to resources on the server. That's not a bad thing, and I probably will enable it later (hm, who accessed a server resource at the time when this virus was created? Oh, this one user. hm!) Looking at details, it appears I need to enable "Audit logon events." Shall we see what happens now?
It's also worth noting that after each gpedit, I run gpupdate to propogate my edits- otherwise it takes 5 minutes or so. Not much time, but when working on this stuff, I don't want to wait 5 minutes b/w every update to see what my changes did.
Eureka! Take a look:
I logged on as test onto vm2. Looks like it's doing what I want now.
Well, I wasn't totally right. Turns out in addition to logging logon/offs, it records every access to a network resource. Again, not a bad thing, but I want to be specific here. Time for further investigation.
No comments:
Post a Comment