Educause Security Discussion mailing list archives
Re: Active Directory Password Strength
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Sat, 26 Nov 2005 16:12:13 +1300
Cary, Kim wrote:
Outstanding comment Russell -- locking out unused accounts is very helpful. The problem we've had in the past (NT4 Domain) is that some 'domain accounts' do not show up as having logged in (from the domain admins POV) because they never log in to the domain directly. They are quite active with LDAP binds, Exchange POP logins, etc. which are back ended to the domain. While the Domain 'bad attempt lockout' policy applies to these various logins, admins could not find a central place to see 'account activity'. Is there a central place under AD where you can find that a successful authentication has taken place from ANY client against the domain credentials?
Thanks Kim! I've been waiting, in vain, for an answer to your question. I find it typical of much logging (but is does seem worse with MS) that logs are produced as an afterthought without any thought about how an admin might want to use them. We are just embarking on a program to centralise the logging for all our windows servers and what we plan to do is forward all the event logs (and other stuff like IIS logs) to one machine and on that machine use Kiwisyslog (what else ;) to forward them to our central syslog server. Why bother with the extra server? One of the main reasons is that we want to do quite a bit of filtering and massaging of the logs *before* forwarding them on to the final repository. In this case it would make a good place to correlate all the logs pertaining to domain account usage and merge these into a single source with a unified format. One idea I am toying with is dumping authentication information into a database to speed queries. Cheers, Russell
Current thread:
- Re: Active Directory Password Strength, (continued)
- Re: Active Directory Password Strength Tim Howard (Nov 14)
- Re: Active Directory Password Strength Stewart, Ian (Nov 14)
- Re: Active Directory Password Strength Lucas, Bryan (Nov 14)
- Re: Active Directory Password Strength Bradley Ellis (Nov 14)
- Re: Active Directory Password Strength Graham Toal (Nov 15)
- Re: Active Directory Password Strength Russell Fulton (Nov 15)
- Re: Active Directory Password Strength Cary, Kim (Nov 16)
- Re: Active Directory Password Strength Graham Toal (Nov 16)
- Re: Active Directory Password Strength Eric Brewer (Nov 16)
- Re: Active Directory Password Strength Riedl, Steve Thomas (Nov 17)
- Re: Active Directory Password Strength Russell Fulton (Nov 25)