RE: Monitoring of Admin logins

["Jim Hanlon" <JHanlon () jchci com>]

We use a commercial product called EventTracker by Prism Microsystems
for managing our account auditing.  The product allows us to set alerts
on user ID activity whether it is over the network (using active
directory) or interactive login on a local machine and/or even Syslog
events.

We are then able to correlate all of the activity the user account was
used for over any period of time in question.

On another note; it is always better to disallow the use of any account
that does not provide you with non-repudiation for the use of an
account.  The use of the Administrator account by more than one person
voids your ability to tie the account to a person.  This is particularly
troublesome especially if you have a policy that holds the user
accountable for any activity that is done with the use of their account.
In a way you would be making your policy unenforceable.



Jim

Phone     US (586) 435-6231
Fax       US (586) 435-6245
Email:    Jhanlon () JCHCI com
Website:  http://www.JCHCI.com

Enterprise Security at the Speed of Business

________________________________


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Sohail Sarwar
Sent: Tuesday, April 10, 2007 12:26 PM
To: security-basics () securityfocus com
Subject: Monitoring of Admin logins

Hi there,

        I am assuming this have been done, but how ?  I would like to
get notified when a user logs in to my domain as an admin
(Administrator)  I have several people who are using the admin account,
and I would like to setup something so that it notifies me via and email
that a specific person has logged in to the domain controller or windows
2003 servers as the administrator.

        I guess something like who the user is and from where..  Is
there such a thing ?

Thanks,
Sohail