Re: Active Directory Password Strength

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Cary, Kim wrote:
> Outstanding comment Russell -- locking out unused accounts is very helpful.
> The problem we've had in the past (NT4 Domain) is that some 'domain
> accounts' do not show up as having logged in (from the domain admins POV)
> because they never log in to the domain directly. They are quite active with
> LDAP binds, Exchange POP logins, etc. which are back ended to the domain.
> While the Domain 'bad attempt lockout' policy applies to these various
> logins, admins could not find a central place to see 'account activity'. Is
> there a central place under AD where you can find that a successful
> authentication has taken place from ANY client against the domain
> credentials?
Thanks Kim!  I've been waiting, in vain, for an answer to your question.

I find it typical of much logging (but is does seem worse with MS) that
logs are produced as an afterthought without any thought about how an
admin might want to use them.  We are just embarking on a program to
centralise the logging for all our windows servers and what we plan to
do is forward all the event logs (and other stuff like IIS logs) to one
machine and on that machine use Kiwisyslog (what else ;) to forward them
to our central syslog server.

Why bother with the extra server?  One of the main reasons is that we
want to do quite a bit of filtering and massaging of the logs *before*
forwarding them on to the final repository.  In this case it would make
a good place to correlate all the logs pertaining to domain account
usage and merge these into a single source with a unified format.  One
idea I am toying with is dumping authentication information into a
database to speed queries.

Cheers, Russell