Is anyone else tasked with doing this? This is a new requirement from audit. We have about 1,000 accounts that are being used to run services in the environment. So audit is asking how we know these accounts aren't being used to logon interactively. All security logs are being shipped to or SEIM system. The question is how to identify this. My thought it that it would have to be an event from the member servers security log with an event ID of 528 where the logon type is not 5. Environment is FFL 2003.
Initially I thought we would be able to distinguish this from just the domain controllers security logs. but that does not seem to be the case. Just looking at the domain controller logs, there doesn't seem to be any differentiation between the logon type, that is captured at the machine they are logging on from. If anyone has recommendations on how to do this differently or if they see a problem I'm missing, let me know. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image/jpeg>>
