Security Basics mailing list archives
Re: Local PC Admin Group change - Alerts
From: "Rob Creely" <programmingart () gmail com>
Date: Mon, 20 Aug 2007 18:33:48 -0400
Dear List, Is there a way to get information about changes done to the Local "Administrators" group of a PC that is attached to the domain. I know that it is possible to get information about changes in the user groups defined within the AD, but that is not my objective instead my concern is about local admin / power user groups within individual PCs connected to the domain. I do not want to check in the event viewer of individiual PCs but hoped to see this info come to a central place or to the event viewer of any of the domain controllers within the network whose logs are already being audited. If anyone has thought abt this before & know a way to achieve it without the installation of any agent on PCs barring a logon batch file if necessary, please would you let me know of the same. Thanks, Tinu Koshy PS: My paranoia comes from the fact that we have over 40 domain administrators. I hope to put in a process correction there but only once I have some technical controls to back me.
Hi Tinu. I don't know of a way to be alerted to local computer/server group changes w/o some sorta of agent running. This is why they are "local groups". You may want to take a look at OSSEC HIDS: http://www.ossec.net. It can detect changes to the any local groups desired and alert you within seconds of a change. However, I'm not sure how well this would scale if you wanted to install it on all your PCs. Maybe with a minimized ruleset, ie. just a rule related to the Local Admin group change, it would be feasible. I agree that reducing the # of domain admins would be wise. At least delegate so that only those who need rights on a particular PC have those rights and no one else. Pretty easy to do this within AD and OU creation. I can't see why 40 people would need admin access to all PCs/Servers on your network. Good luck and hope this was of some help. --Rob
Current thread:
- Local PC Admin Group change - Alerts Tinu Koshy (CISD) (Aug 17)
- RE: Local PC Admin Group change - Alerts Bowers, Jeramy J (Aug 20)
- RE: Local PC Admin Group change - Alerts Roger A. Grimes (Aug 20)
- Re: Local PC Admin Group change - Alerts Kurt Buff (Aug 20)
- Re: Local PC Admin Group change - Alerts Rob Creely (Aug 21)