Announcement

Collapse
No announcement yet.

Audit Policy Seetings in Windows 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Audit Policy Seetings in Windows 2003

    Hi

    In our company the default domain policy we are not configured any audit policy settings.

    Please find the configuration

    1. Audit Account Logon Events Not Defined
    2. Audit Account Management Not Defined
    3. Audit Directory Service Access Not Defined
    4. Audit Logon Events Not Defined
    5. Audit Object Access Not Defined
    6. Audit Policy Change Not Defined
    7. Audit Privilage Use Not Defined
    8. Audit Process Tracking Not Defined
    9. Audit System Events Not Defined

    But still we are getting lots of logs in the security event logs, we have tried to increase the size up to 4GB. But its only store event logs upto 315 MB.

    Also this 315 MB is filled in 1 hour, any one please help to find out the root cause of this issue.

    Venkatesan S
    Regards,
    Venkatesan S

  • #2
    Re: Audit Policy Seetings in Windows 2003

    Hi,

    The domain controllers are running windows 2003 server (sp2) in mixed mode.
    Regards,
    Venkatesan S

    Comment


    • #3
      Re: Audit Policy Seetings in Windows 2003

      You should give us more details about these events then.
      - open the properties of one of the events
      - click the copy button.
      - paste into your post (wrap this text between Code-tags [#] to make it easy readable)

      Are all the recorded events exact the same?
      - same event-id, user, computer
      - same details in description


      \Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: Audit Policy Seetings in Windows 2003

        Hi Rems,

        Please find the attachment for more details about the event logs. Normally i am getting huge amount of in this particular event.

        In the bellow mentioned log

        MYPC is my domain controller name

        mydomain is my domain name.
        Attached Files
        Regards,
        Venkatesan S

        Comment


        • #5
          Re: Audit Policy Seetings in Windows 2003

          Hi,

          it seems hat on your dc audit for logon is configure 538 is for user logof, check your domain for computer/client logon policy

          Rgds
          Muneer

          Comment


          • #6
            Re: Audit Policy Seetings in Windows 2003

            forgot to paste this
            http://www.microsoft.com/technet/sec.../w2kadm13.mspx

            Comment


            • #7
              Re: Audit Policy Seetings in Windows 2003

              Hi Munner,

              I have checked the server under

              Default Domain Policy->Computer Configuration->Windows Settings->Local Polices->Security Options

              There is no policy defined in that.
              Regards,
              Venkatesan S

              Comment


              • #8
                Re: Audit Policy Seetings in Windows 2003

                Originally posted by Venkatesan View Post
                The domain controllers are running windows 2003 server (sp2) in mixed mode.
                You mensioned Domain Controlers - are those excessive logon/off audit events only recorded on "MYDC", and only for the MYDC$ account??


                On MyDC goto 'Administrative tools' and open the 'Domain Controller Security policy' mmc console. Check the security settings under "Local Policies" / "Audit Policy".

                btw..
                The recommended audit policy for a domain controller might look like this:
                Code:
                Audit category			Default audit setting 
                Account log-on events		Success, failure 
                Account management events	Success, failure 
                Directory service access	Success, failure 
                Log-on events			Success, failure 
                Object access			Success, failure 
                Policy change			Success, failure 
                Privilege use			Failure 
                Process tracking		No auditing 
                System events			Success, failure
                
                <http://www.windowsdevcenter.com/pub/...cy.html?page=2>

                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Audit Policy Seetings in Windows 2003

                  Hi,

                  My Previous setting in Default Domain controllers policy is

                  Audit account logon events- Success, Failure
                  Audit account management- No auditing
                  Audit directory service access -No auditing
                  Audit logon events -Success, Failure
                  Audit object access- No auditing
                  Audit privilege use No- auditing
                  Audit process tracking- No auditing
                  Audit system events- No auditing

                  Now i have disabled the "Audit account logon events"

                  After this change my event log flow is controlled i am getting normal logs, what is the effect of disabling the "Audit account logon events"
                  Regards,
                  Venkatesan S

                  Comment

                  Working...
                  X