Security Basics mailing list archives
RE: When IT Manager breaks rules
From: Shawn <swarzkopf () legolas sinnerz us>
Date: Fri, 18 May 2007 16:05:01 -0400 (EDT)
Why do this manually when you can automate the process via a script or even via built in MS architecture? Seems to me that it'd be more beneficial to get results in real time (or close to it), rather than reviewing events which could have occurred a week ago...that and automating the process is much less tedious.
On Fri, 18 May 2007, Robinson, Sonja wrote:
You can dump your domain controller event logs using something like dumpiest (you should probably be saving these anyway for SOX/HIPAA/GLBA compliance). Then search for the appropriate security event code on a weekly basis. Anyone who entered the items that were unauthorized get investigated. This should be a routine process. Search for members added, deleted, changed. Search for group memberships added to see whose rights were added and deleted and if appropriate (eg. who was given rights they should not have been). Search for audit policy changes, domain policy changes, etc. If you review these items on a routine basis it is an objective way to "catch" policy violations and prove you are auditing and monitoring your systems. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Shawn Sent: Friday, May 18, 2007 10:29 AM To: WALI Cc: security-basics () securityfocus com; security-basics-return-44419 () securityfocus com; security-basics-return-44427 () securityfocus com Subject: Re: When IT Manager breaks rules Thinking on this further, you may even be able to skip the VBScript/scheduled task thing...you *may* be able to do this with built in M$ stuff. I *think* you can set up an alert in Performance Logs and Alerts to fire whenever an account is created. You'd want to monitor the "NTDS" object for account creations. The advantage to this would be less system resource use, as you wouldn't have to periodically run a VBScript. -Shawn On Thu, 17 May 2007, Shawn wrote:This should be very easy to implement. Perhaps the easiest solution: 1. Configure auditing via group policy to log an event each time a newaccount is created. 2. Drop a VBScript in your domain controllers scheduled tasks that reads the security log and sends you an email each time an event is recorded for a new account creation. We have a much more complex solution for the same issue here, using HPOpenView...basically part of our enterprise wide centralized alertsystem.But you don't need a $60,000 piece of software to make this happen. -Shawn On Thu, 17 May 2007, WALI wrote:Hi guys...an odd question here!! I am mad at my IT Manager, he is such a sissy!! Being a internal security analyst in-charge, I want to enforce a few policies at help desk. One of them is, not to create any user accountunless an email arrives from HR to HelpDesk, informing of the user's badge ID, the department he/she belongs to. The status of employment and all those things. The procedures are in place but sometimes it sohappens that some Head of the Dept. or executive management calls up our IT Manager over the phone, or send him an email directly which isthen forwarded to our Help Desk incharge who is then left with littleoptions but to create the account without due processes. All policy compliance guidelines get thrown up in the air. HelpDesk incharge is bound by his position to, not to defy IT managerand he is scared to tell me (sometimes he does) that IT manager is forcing him to dilute the AD account creation policy. I don't want to confront IT manager based upon inputs by Helpdesk guys but would rather put a mechanism in place, where I would automatically come to know, that an account has been created and I can ask helpdesk to provide proof of the email from HR arbitrarilyand then confront the manager.I know some Audit trails can be put and they would appear under Security tab of Event manager ( or so I guess) but I need something more automated that would land in my mailbox. Is this possible through any automated solution in AD of Windows2003?Probably MOM 2005 or the types? In case I chose to confront HR Admin/ managers with a plea to stop sending such requests to our IT Manager and put their house in order,what all genuine risks of 'not doing so' can I highlight? Ours is fairly large corporation employing about a 1000 people.
Current thread:
- Re: Firewall Testing, (continued)
- Re: Firewall Testing Alex Bondarenko (May 15)
- Re: Firewall Testing Peter Koinange (May 16)
- When IT Manager breaks rules WALI (May 17)
- RE: When IT Manager breaks rules April Carson (May 18)
- Re: When IT Manager breaks rules Byron (Yahoo) (May 24)
- RE: When IT Manager breaks rules Trevor Greenfield (May 18)
- Re: When IT Manager breaks rules Pranay Kanwar (May 18)
- Re: When IT Manager breaks rules Shawn (May 18)
- Re: When IT Manager breaks rules Shawn (May 18)
- RE: When IT Manager breaks rules Robinson, Sonja (May 18)
- RE: When IT Manager breaks rules Shawn (May 18)
- Re: Firewall Testing Peter Koinange (May 16)
- Re: Firewall Testing Alex Bondarenko (May 15)
- Re: When IT Manager breaks rules Cam Fischer (May 22)
- Re: When IT Manager breaks rules Raoul Armfield (May 22)
- Re: When IT Manager breaks rules Toby Barrick (May 22)
- Message not available
- Fwd: When IT Manager breaks rules kevin fielder (May 23)
- RE: When IT Manager breaks rules Murda Mcloud (May 23)
- RE: When IT Manager breaks rules WALI (May 23)
- Re: When IT Manager breaks rules Toby Barrick (May 23)