Neil,
Are there any risks by carrying out your change listed below or is it a
straight forward procedure.
[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not* auditing this type of change. As usual, it depends upon your environment and your requirements.
[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not* auditing this type of change. As usual, it depends upon your environment and your requirements.
I don't think I have this enabled, if I do would that mean in the future if
a DNS record is deleted this can be traced?
[Neil Ruston] Yes, if the zone is stored in AD.
[Neil Ruston] Yes, if the zone is stored in AD.
We use MOM here, is this something I could use?
[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct parlance :)
[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct parlance :)
thanks
Jim
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
That's a huge subject, a useful link is here:I'll give steps to audit DNS objects:using adsiedit1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC)2. Right click, choose Properties, then select the Security tab and click Advanced3. Select the Auditing tab4. Click Add... and add group Everyone5. Select "Apply onto" and choose "dnsZone objects"6. Select 'Write all properties' Failed and 'Write all properties' Success7. Click OK8. Repeat steps 4 to 7 for object type dnsNode9. Click OK, OK to close property sheetsThe above will audit all writes to zone objects and DNS records which are stored in AD itself.As stated previously, if the zones are stored as text files, then there is little that can be audited.hth,neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: 05 August 2006 06:25
To: [email protected]
Subject: Re: [ActiveDir] OT: DNS entryhey guys,could you point me to an article on how to setup audting for dns modifications and overall domain auditing ?i've done auditing on the desktop level, just wondering whats changed..
On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote:If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info.Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled.If you're not using AD-Integrated DNS, then none of the above will really help.--Paul----- Original Message -----From: James CarterSent: Friday, August 04, 2006 12:09 PMSubject: [ActiveDir] OT: DNS entry
We had a static Server DNS entry deleted over the weekend.Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domainthanksJAmes
--
HBooGz:\>PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised andregulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail Beta.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
