|
Posted by r. wales on March 27, 2006, 3:20 pm
Please log in for more thread options Thanks. AD and everything else was set up by a part timer who did a lot of
things quick and dirty. No I have been brought in to try and sort everything
out. Your help is greatly appreciated.
"Steven L Umbach" wrote:
> I found the links below which indicate it has to with Active Directory
> replication and USN. If you do not have a specific reason to be auditing
> directory service access such as auditing access of particular AD objects
> you may want to disable it or enable it for failure only to reduce noise in
> your security logs. --- Steve
>
> http://kbase.gfi.com/showarticle.asp?id=KBID001758
> http://kbase.gfi.com/showarticle.asp?id=KBID001759
>
>
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch03n.mspx
> -- from the Threats and Countermeasures Guide.
>
> Audit directory service access
> This policy setting determines whether to audit user access of an Active
> Directory® directory service object that has an associated system access
> control list (SACL). A SACL is list of users and groups for which actions on
> an object are to be audited on a Microsoft Windows-based network.
>
> If you configure the Audit directory service access setting, you can specify
> whether to audit successes, audit failures, or not audit the event type at
> all. Success audits generate an audit entry when a user successfully
> accesses an Active Directory object that has a SACL that indicates that the
> user should be audited for the requested action. Failure audits generate an
> audit entry when a user unsuccessfully attempts to access an Active
> Directory object that has a SACL that requires auditing. (Both types of
> audit entries are created before the user is notified that the request
> succeeded or failed.) If you enable this policy setting and configure SACLs
> on directory objects, a large volume of entries can be generated in the
> Security logs on domain controllers. You should only enable these settings
> if you actually intend to use the information that is created.
>
> Note: You can configure a SACL on an Active Directory object through the
> Security tab in that object's Properties dialog box. This method is
> analogous to Audit object access, except that it applies only to Active
> Directory objects and not to file system and registry objects.
>
> > My security logs (2 servers) are full of success audits for event id 836
> > and
> > 837. I have not been able to find any useful information as what these
> > events actually are or why they are occuring so often. Can someone shed
> > some
> > light on this for me?
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Directory Service Access
> > Event ID: 836
> > Date: 3/16/2006
> > Time: 11:37:36 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: <servername1>
> > Description:
> > Destination DRA: CN=NTDS
> >
Settings,CN=<servername1>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=local
> > Source DRA: CN=NTDS
> >
Settings,CN=<servername2>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=local
> > Naming Context: DC=<domainname>,DC=local
> > Options: 19
> > Session ID: 36103
> > Start USN: 1741917
> >
> >
> >
> > event 837 contains similar information
> >
>
>
>
| 
XML Sitemap