|
At a high level, I'd look to create a filter within the sec
mon tool, such that objects updated by their owners were trapped in a different
to those not changed by the owner.
I'd ensure the tool used / purchased was capable of meeting
any requirements.
neil
I’ve
been looking to do this too… but specifically for records w/out a TTL. In
other words, I want to capture static records only since dynamic will constantly
change. Any ideas?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: Monday, August 07,
2006 9:35 AM
To: [email protected]
Subject: RE:
[ActiveDir] OT: DNS entry
Are there any risks by carrying out your change listed below
or is it a straight forward procedure.
[Neil
Ruston] The steps merely add SACL entries to DNS objects - that will
certainly result in more security events and a slight overhead on the DCs but
you need to weigh that against the risk of *not* auditing this type of change.
As usual, it depends upon your environment and your
requirements.
I don't think I have this enabled, if I do would that mean in
the future if a DNS record is deleted this can be traced?
[Neil
Ruston] Yes, if the zone is stored in AD.
We use MOM here, is this something I could use?
[Neil
Ruston] MOM is aimed at systems monitoring whilst this thread deals with
security monitoring. MS don't have an app in that space (yet) altho other
vendors do. NetPro, NetIQ and Quest are the usual suspects here. These
vendors offer tools that help with tracing changes (or 'forensic analysis', to
use the correct parlance :)
That's
a huge subject, a useful link is here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx
I'll
give steps to audit DNS objects:
using
adsiedit
1.
Navigate to CN=MicrosoftDNS,CN=System (in the domain NC)
2.
Right click, choose Properties, then select the Security tab and click
Advanced
3.
Select the Auditing tab
4.
Click Add... and add group Everyone
5.
Select "Apply onto" and choose "dnsZone objects"
6.
Select 'Write all properties' Failed and 'Write all properties'
Success
7.
Click OK
8.
Repeat steps 4 to 7 for object type dnsNode
9.
Click OK, OK to close property sheets
The
above will audit all writes to zone objects and DNS records which are stored
in AD itself.
As
stated previously, if the zones are stored as text files, then there is little
that can be audited.
hth,
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of HBooGz
Sent: 05 August 2006 06:25
To:
[email protected]
Subject: Re: [ActiveDir] OT: DNS
entry
could you point me to an article on how to setup audting
for dns modifications and overall domain auditing ?
i've done auditing on the desktop level, just wondering
whats changed..
On 8/4/06, Paul Williams
<[EMAIL PROTECTED]> wrote:
If you've got the
necessary auditing enabled in your domain, and you had auditing ACEs
configured on the DNS zone (location depends, generally you'd set it on
CN=MicrosoftDNS folder) then yes, you can. But you'll have to search
each DCs security event log for this info.
Otherwise, you
can't get this info. You can check the whenChanged attribute
on the tombstoned record for a rough idea of when the deletion occurred and
try and move from there by looking at logon events, again if you have auditing
enabled.
If you're not
using AD-Integrated DNS, then none of the above will really
help.
----- Original
Message -----
Sent: Friday, August 04,
2006 12:09 PM
Subject: [ActiveDir] OT:
DNS entry
We had a static Server DNS entry deleted over the
weekend.
Is there anyway to find out who deleted this entry? This is
a Windows 2003 R2 server/domain
--
HBooGz:\>
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
Do you Yahoo!?
Everyone is raving about the all-new
Yahoo! Mail Beta.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance on
it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept responsibility
or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this message
or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do not
necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
|
