audit policy

[darren]

I have a number of webservers with an OU .. I would like to monitor an
unauth access or brut force attack etc.. what adit seting should I enable
and should I link it to my webservers OU.. I am main cencern at this time is
to monitor my webservers for attacks etc..
PS.. Here what I think should be enabled..
Logon events- failures
account logon events- failure..
Is this correct and are there any other events I should consider enabling..?
Thanks
-Darren

 

[Matjaz Ladava [MVP]]

If the web servers are in domain, then you should enable this on domain
controllers, as this monitors your domain accounts. If accounts are on your
web server, then enable this policy there.
I would suggest you to look at other options to monitor your web servers
from attacks as simple auditing policy would not be enough. If you are into
freeware solution you can use snort (http://www.snort.org/) to monitor your
network traffic flow between your routers and web server. There are of
course commercial IDS systems available from other vendors like GFI,.....

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)

 

[Darren D]

Thanks, Matjaz..I did the following
enable account logon event policy at the domain level and logon event on my
OU which contain my webservers, however I discovered my securiy log on my
DC's are logging accounts e.g system, computers with $ append etc in
addtion I notice event numbers (538 and 540) correspondiing to each account
are currently being logging consectively within a couple secs. How can I
determine the actually time when a users login and out off network..

Also is the a policy that I enforce that would log off a user , let say 2
hours of inactivity. My superior would like to know what time users login
and out on the network, however some users lock their machines or remain
login at night , so it a bit difficult to determine the acutally login
times..

thanks again
Darren