Due to account policy's we forbid administrators to logon with specific domain admin accounts or with the local administrator accounts. Also wanted was a security audit to lookup or monitor possible attacks.
To do this I've written a simple security management pack. That collects all security events and generate alerts when a logon fails 3 times within 3 min , account rights are changed and when a local administrator, specific admin account logon (successful) is detected.
Pre-installs:
1 Import the security MP into MOM. Its by default assigned to all windows servers.
2 Change the domain audit policy to "audit account logon events" , "audit logon events" and "audit account management" to value "Success,Failure". Change also for the Evenlog policy that your eventlogs are min 20Mb big. AND THAT OVERWRITE IF NEEDED IS ACTIVATED. MOM will be fast enough to store the evens in the database before the will be overwritten in case of a flush attack. Otherwise your system will go in HOLD status. (and that's not what you want)
3 Deploy your policy.
4 Change the rules to the admin accounts you want to monitor. Rule "[MITS] SECURITY ISSUE ALERT ON [Logon/Logoff admin_xxx]" -> "criteria" property "user name" to what specific account you want to monitor. For multiply accounts you can also use a regexpression for this.
5 Do a MOM commit.
6 Open the operator console and go to the "security views" There must be events in it.
To do:
– I'm working on a datawarehouse report that will analyze the events.
Be aware:
That your onepoint db will grow faster.
That the mom datawarehouse db will also grow faster.
So make source there enough space in it.
Michel