Re: Monitoring of Admin logins

["Steven Adair" <steven () securityzone org>]

A syslog server as mentioned will do the trick.  You can run scripts to
parse through the logs looking for "administrator" logins or the logins
you have given to each of the users.  Also, you may want to avoid giving
these other users access to this server or at least just give them read
only access.

There are also other event correlation/SIM products that have capabilities
you mentioned.  Someone just e-mailed this list a little bit ago asking
about ArcSight.  I believe this product is capable of doing this as is
NetIQ.  Now these aren't free by any means, in fact they are far from it.

Steven
securityzone.org

> I would think that a syslog server and some tools would be able to do
> that.  I'd also recommend giving people admin equivalent accounts
> instead of letting them log in as "admin."  If you make sure they have
> no access to the syslog server you can make sure you have an accurate
> record of who is doing what.
>
> Luck,
> Buz
>
> On 4/10/07, Sohail Sarwar <ssarwar () ecredit com> wrote:
> > Hi there,
> >
> >         I am assuming this have been done, but how ?  I would like to
> > get notified when a user logs in to my domain as an admin
> > (Administrator)  I have several people who are using the admin account,
> > and I would like to setup something so that it notifies me via and email
> > that a specific person has logged in to the domain controller or windows
> > 2003 servers as the administrator.
> >
> >         I guess something like who the user is and from where..  Is
> > there such a thing ?
> >
> > Thanks,
> > Sohail
>
>
> --
> Buz Dale                                buz.dale () usg edu
> IT Security Specialist              1-888-875-3697 (In GA)
> 1-706-583-2005
> Office of Information and Instructional Technology
> University System of Georgia
> GMT -5:00
>
> !DSPAM:461c1593140083591774956!