RE: [ActiveDir] OT: DNS entry

[ai-chung_chong]

With large number of events registered in security log, it will be more efficient if you use EventComb to extract the relevant log that you need.   Regards,   Ai Chung   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter Sent: Tuesday, August 08, 2006 12:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DNS entry   Neil,   thanks for your response, would you say the best way for me to view the audits would be from the Event Viewer console?   Jim [EMAIL PROTECTED] wrote:   Neil,   Are there any risks by carrying out your change listed below or is it a straight forward procedure. [Neil Ruston] The steps merely add SACL entries to DNS objects - that will certainly result in more security events and a slight overhead on the DCs but you need to weigh that against the risk of *not* auditing this type of change. As usual, it depends upon your environment and your requirements.    I don't think I have this enabled, if I do would that mean in the future if a DNS record is deleted this can be traced? [Neil Ruston] Yes, if the zone is stored in AD.    We use MOM here, is this something I could use? [Neil Ruston] MOM is aimed at systems monitoring whilst this thread deals with security monitoring. MS don't have an app in that space (yet) altho other vendors do. NetPro, NetIQ and Quest are the usual suspects here. These vendors offer tools that help with tracing changes (or 'forensic analysis', to use the correct parlance :)   thanks   Jim [EMAIL PROTECTED] wrote: That's a huge subject, a useful link is here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx   I'll give steps to audit DNS objects:   using adsiedit 1. Navigate to CN=MicrosoftDNS,CN=System (in the domain NC) 2. Right click, choose Properties, then select the Security tab and click Advanced 3. Select the Auditing tab 4. Click Add... and add group Everyone 5. Select "Apply onto" and choose "dnsZone objects" 6. Select 'Write all properties' Failed and 'Write all properties' Success 7. Click OK 8. Repeat steps 4 to 7 for object type dnsNode 9. Click OK, OK to close property sheets   The above will audit all writes to zone objects and DNS records which are stored in AD itself.   As stated previously, if the zones are stored as text files, then there is little that can be audited.   hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: 05 August 2006 06:25 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DNS entry hey guys,   could you point me to an article on how to setup audting for dns modifications and overall domain auditing ?   i've done auditing on the desktop level, just wondering whats changed..     On 8/4/06, Paul Williams <[EMAIL PROTECTED]> wrote: If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can.  But you'll have to search each DCs security event log for this info.   Otherwise, you can't get this info.  You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled.   If you're not using AD-Integrated DNS, then none of the above will really help.     --Paul ----- Original Message ----- From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry     We had a static Server DNS entry deleted over the weekend.   Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain   thanks   JAmes Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- HBooGz:\> PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.   Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.     Groups are talking. We´re listening. Check out the handy changes to Yahoo! Groups.