Windows Password

Hi,

I have questions.

1. Windows 2003 & 2008 there any log file exists, which have information about Administrator password & RDP port changed from which date/time/IP/etc.

2. Any application which keep these logs and send email to admin when server access/password/port change.

BR
Javaid



Auditing policy can handle the event log entry into the security log on a change.
Slunk can be used to aggregate data.
Windows 2008 can have eventlog forwarding events.

Installing snmp and then configuring the eventlog to snmp (evntwin) that will generate snmptrapd to an snmptrap server.

The snmptrapd server can be configured to generate an email when a specific type of alert comes in.

Optimal solution is to limit the number of administrators/users who can change administrators password.



Auditing policy can handle the event log entry into the security log on a change.
Slunk can be used to aggregate data.
Windows 2008 can have eventlog forwarding events.

Installing snmp and then configuring the eventlog to snmp (evntwin) that will generate snmptrapd to an snmptrap server.

The snmptrapd server can be configured to generate an email when a specific type of alert comes in.

Optimal solution is to limit the number of administrators/users who can change administrators password.



There are logs but by default all auditing is not turned on. What you could do is turn on auditing as from now on, keep proper logs. Splunk or some other log consolidation software could be used for consolidating logs from various systems.



Hi mnkhawaja,

Could you please share its process & method ?

BR



The way Splunk works is as follows:
1. Install Splunk on a server
2. Install Splunk Light forwarder on your DC and configure it to send event logs to Splunk Server
3. Do the same on your RDS server
4. Once done, you should be able to see events in the Splunk Server
5. You could create dashboards, queries (i.e. log type (application, security, etc.), source (server), event ID, etc.)

Please refer to Splunk documentation and it is straight forward. I don't have one running right now and I haven't used it for few months.



Share this

Related Posts

There was an error in this gadget