What are the most relevant windows events to... Expand / Collapse
Author
Message
Posted 10/24/2013 5:47:05 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/24/2013 11:50:57 AM
Posts: 2, Visits: 0

Hi all,

We have a list of suspicious users and we want to monitor these users within the AD servers and workstations.

You want to monitor the actions taken by these these users such as:

- Changing audit policy

- Access to objects

- Installation / uninstall service

- Access / modification of files



Regards,







Post #1268
Posted 11/18/2013 9:50:12 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 179, Visits: 0
Event ID 4719 will tell you when a system audit policy was changed. Event ID 4663 will tell you if permissions were actually exercised on an object. Object access monitoring has to be turned on. Event ID 4697 will identify who (often System) installed the service.
Post #1291
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 1:49am