UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Windows Security Settings

Top 10 Active Directory events to monitor in 2008

bsjj2727 — Thu, 02 Feb 2012 10:21:19 GMT

Randy you had done a video back in 2008 for the top 10 AD events to monitor, which was great, however I'm not running Windows 2003. Do you have the same video posted somewhere for windows 2008?

Scheduled PowerShell Tasks as Local System Account

andrewhuddleston — Sun, 08 Jan 2012 16:03:15 GMT

Hey Randy,

Regarding runing services/tasks as the local system account, i have a powershell script that i need to run as a scheduled task. I would prefer to run the script using the builtin local system account, however the script need to access a remote computer to perform some operations.

So my questions are as follows.

1. Am i making a big security mistake and should i run the scheduled task as a domain users with the required access (admins).

2. If i can use the local system account, how do i give it permission on the remote computer to do its job?

I assume i need to give the Server1$ account rights on RemoteServer$ somehow?

Vanishing Security Audits

Rob39 — Thu, 05 Jan 2012 12:44:02 GMT

I have been experiencing an issue regarding saved security audits.

I complete an audit every week.
After reviewing the audit, on occasion, on some systems, the audit cannot be located. It has just disappeared from the "Security Log" folder and I didn't delete it.
I search the entire drive (including hidden files and folders) for the file and it is totally gone.
It is happening on Windows XP Pro SP3 and previously on SP2. Standalones and peer-to-peer LANs.
I have done a little bit of Internet research with negative results.
We have one computer where I have completed 22 audits and only six are available.

Have you ever heard of this?

KB2641690 Patched on XP Servers and rebooted automatically

karothu — Wed, 04 Jan 2012 16:11:21 GMT

Please advise if you have any idea on below issue.

4 XP Servers are patched KB2641690 and rebooted automatically. We set the group policy that download and notify to install ( Option 3 ).

Message: <13>Dec 8 13:59:58 10.64.132.21 MSWinEventLog 0 System 372871 Thu Dec 08 13:59:58 2011 18 Windows Update Agent Unknown Information {server name deleted } Installation 0000: 57 69 6e 33 32 48 52 65 Win32HRe 0008: 73 75 6c 74 3d 30 78 30 sult=0x0 0010: 30 30 30 30 30 30 30 20 0000000 0018: 55 70 64 61 74 65 49 44 UpdateID 0020: 3d 7b 30 30 30 30 30 30 ={000000 0028: 30 30 2d 30 30 30 30 2d 00-0000- 0030: 30 30 30 30 2d 30 30 30 0000-000 0038: 30 2d 30 30 30 30 30 30 0-000000 0040: 30 30 30 30 30 30 7d 20 000000} 0048: 52 65 76 69 73 69 6f 6e Revision 0050: 4e 75 6d 62 65 72 3d 30 Number=0 0058: 20 00 . Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, December 08, 2011 at 2:09 PM: - Update for Windows XP (KB2641690) 13820

We contacted security team to findout some one applied above patch. but none applied. this is overcome my group policy. which is set to download and notify to install. This happens to one of major applications running on these boxes. Please advise.

Thanks and Regards,

Suresh Karothu,

RunAs from Windows7

andrewhuddleston — Mon, 12 Dec 2011 21:14:57 GMT

Hi Randy,

You recommend creating and having two accounts for IT Administrators, one for general use, and the other for admin tasks.

In Windows 7, logged on as a Domain Admin (i know this is not recommended) for many admin tasks i am still required to run them as an administrator (even though i already am logged in with admin priveledges).

My question is, is this Microsoft's answer and solution to do away with creating two accounts, and is this sufficient enough? or do you still recommend having an additional higher preiveledged account?

ResetADSACLS safe?

andrewhuddleston — Mon, 14 Nov 2011 00:13:17 GMT

Hey Randy, Im feeling scared to run the ResetADSACLS tool on my domain, as i am uncertain of what impact it may have to existing permissions..

How can i assertain whether or not firstly i need to run the tool, and secondly what consequences it will have?

Andrew

What is a good light antivirus for Windows 7?

lisasctt4 — Tue, 11 Oct 2011 13:51:55 GMT

I just installed a fresh copy of Windows 7 on my computer and i need to put some antivirus software on it. I have been using Bit Defender for the past few years and I have enjoyed it but i need a new virus protection software without all the start up items and extra stuff I don't need. I just want a light antivirus program that gets the job done. I don't care if it's free or not.

WebDAV issue, Security Tab missing

sajjad.kernel — Fri, 16 Sep 2011 14:30:14 GMT

Hello

I have configured a WebDAV server and I have created a virtual folder in it. Users access it through mapped drive at www.internalfiles.com/fin.
I just want a single user to create sub folders in it and after creating sub folders, right click on it and in properties goto security tab and add or remove other users and assign rights on it.
Uptill now I have configured it so that only a particular user can create folders in it but others cannot. but when that user right clicks it there is no security tab in properties.
Can any policy ir script do it?
I am using Win 2003 R2, IIS6, No SSL, workgroup
DC, IIS and shared folder are on same server.
Thanks in advance

Security Event Log - 2008 - Increased Events

jcochran — Wed, 03 Aug 2011 14:27:12 GMT

I've noticed a massive increase of security events on 2008 R2 DC's compared to 2003. Can anyone shed any light on the new events, the volume of them, etc.?

Password Expiration Date Modfications

redparadox — Thu, 28 Jul 2011 15:36:37 GMT

I was recently asked a question about the password expiration date attribute for a user account. The question was if that attribute could be modified on a user by user basis to cause some user accounts to begin the password expiration notice earlier than their normal 90 day cycle. My response was uhhhh...:crazy: I don't think so, but I said I would ask around....

Restricting Local Admin

markdl — Fri, 08 Jul 2011 10:56:10 GMT

We are trying to find a way to allow the guest PC's on our network to install Adobe and Java updates without granting Local Admin rights to each PC. Our network admin says this is not possible, and if itis, he doesn't know how to make this happen.

My question to you: Is there a method (or 3rd party product) that would allow us to update our PC's without granted Local Admin to all machines? Our concern is having all users with Local Admin on PC's being able to install/uninstall software, propagate viruses, etc.

Any guidance or suggestion would be greatly appreciated! Thank you!

Forest Trust, Windows 2008 R2

ka5880 — Thu, 07 Jul 2011 16:03:10 GMT

I got a scenario whereby we have contracted a company to create a certain applications for us. The application will fully reside on our site with no connection to the outside world at all. The company wants to create the applications on their own (new) domain (which again lives on our site) but they have requested a mutual (forest) trust with our existing domain for the purpose of using single sign-on and to have only one active directory (the one on our existing domain) thereby avoiding to have multiple active directories. Servers on both domains are running Windows 2008 R2. The company has requested a standard LDAP user account with no admin rights.

My question is, given the scenario above and that we are dealing with a reputable company; what are the security risks on our existing domain or active directories from the new domain created by the contracted company?

Will the LDAP account they have requested be able to do any admin stuff or hack into our active directory or anything else on our domain?

What are the precautions we need to take in order to avoid any harm (intentional or not) on our domain?
If the dangers are still great and you would not recommend the mutual trust, what are the alternatives in order to avoid extra admin work?