RE: [ActiveDir] OT: DNS entry

Mon, 07 Aug 2006 09:09:32 -0700

Neil,
 
thanks for your response, would you say the best way for me to view the audits would be from the Event Viewer console?
 
Jim

[EMAIL PROTECTED] wrote:
 
Neil,
 
Are there any risks by carrying out your change listed below or is it a straight forward procedure.
[Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not* auditing this type of change. As usual, it depends upon your environment and your requirements. 
 
I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced?
[Neil Ruston] Yes, if the zone is stored in AD. 
 
We use MOM here, is this something I could use?
[Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct parlance :)
 
thanks
 
Jim

[EMAIL PROTECTED] wrote:
That's a huge subject, a useful link is here:
 
I'll give steps to audit DNS objects:
 
using adsiedit
1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC)
2. Right click, choose Properties, then select the Security tab and click Advanced
3. Select the Auditing tab
4. Click Add... and add group Everyone
5. Select "Apply onto" and choose "dnsZone objects"
6. Select 'Write all properties' Failed and 'Write all properties' Success
7. Click OK
8. Repeat steps 4 to 7 for object type dnsNode
9. Click OK, OK to close property sheets
 
The above will audit all writes to zone objects and DNS records which are stored in AD itself.
 
As stated previously, if the zones are stored as text files, then there is little that can be audited.
 
hth,
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: 05 August 2006 06:25
To: [email protected]
Subject: Re: [ActiveDir] OT: DNS entry

hey guys,
 
could you point me to an article on how to setup audting for dns modifications and overall domain auditing ?
 
i've done auditing on the desktop level, just wondering whats changed..
 


 
On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote:
If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can.  But you'll have to search each DCs security event log for this info.
 
Otherwise, you can't get this info.  You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled.
 
If you're not using AD-Integrated DNS, then none of the above will really help.
 
 
--Paul
----- Original Message -----
Sent: Friday, August 04, 2006 12:09 PM
Subject: [ActiveDir] OT: DNS entry

 
 
We had a static Server DNS entry deleted over the weekend.
 
Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain
 
thanks
 
JAmes
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.



--
HBooGz:\>
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail Beta.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.

Groups are talking. We´re listening. Check out the handy changes to Yahoo! Groups.

Reply via email to