Security & Auditing Recommendations

[zviw]

My firm of app. 40 systems/users switched from Novell to MS 2003 server and I need some recommendations. (1 server, running Active Directory, DNS, DHCP and providing file and print services.)

I have been going through the literature but it is hard to weed through the volume of info. available and I need some immediate guidance.

Yesterday the firm terminated a new hire, something that is very rare for us. I was given a small amount of notice but they notified the person ahead of schedule and I wasn't quite ready. I found that data was being deleted from the network (stroke of luck) and immediately disconnected this person's session and disabled the account. I recovered the data (another stroke of luck, issue for another thread) and we have backup from the previous night so it wouldn't have been devastating had I been unsuccessful.

My questions:

1: How should I prepare for termination of a user?

2: Is there a way to prevent or be alerted to a user deleting large amounts of data?

3: Is there auditing that could be set to track this action? As things stand I cannot prove that this account was used to delete these files (I was able to do this on Netware).

4: I need basic, practical guidelines/advice for setting up domain auditing and security. The docs and knowledgebase articles that I find don't cut to the chase.

Thanks.

Zvi

 

[Teknoratti]

1- From an administrative side IMO there is nothing you can do to prepare for it. What I do as an admin, I contacted HR and let them know that informing IT of new hires and terminations has to be a priority, and they must give us either a written form or an email of some sort. From that point all you can do is disable the account. If you already know ahead of time that a user will be let go, then you simply set an expiration on the user account.

2- Im sure like a lot of things in VB, or Jscript, you may be able to write a script of some sort. Auditing on a folder will monitor disk usage and set quotas but it wont alert you to who is deleting what.

3-You can an objet auditing group policy on OUs or domains that will be able to monitor who is doing what. Although this can get rather large in the event viewer if you have it monitoring all object events.

4- Sadly, and to your dismay, in IT not all things will be cooked nice and juicy on a platter for you. Sometimes you will need to dig in and figure stuff out. Not that it helps in your case, but Im just laying it out there just in case you didnt know. I will do some r-search and see what I can give you.

 

[zviw]

Teknoratti: I appreciate your response.

1 - That is more or less the way things worked, except the timing was off. We are a small firm that rarely lets anybody go.

2 - I was afraid of that.

3 - Thanks. I figured out how to set auditing on object access - I understand that it will fill my logs, but the partners in my firm will prefer my monitoring things for a while.

4 - I am aware of this, but my MS experience is rather limited as I've spent the bulk of the past 11 years in Novell Netware. The issue here is really one of time, I am trying to master a different NOS and manage the network and security at the same time. I just need to be pointed to a good, reliable, baseline guide to get me started in the right direction.

<rant> - We migrated to Win 2003 Srvr four weeks ago. The firm hired somebody to do the migration which went well overall but was very sloppy and left me with a lot of cleaning up to do. To be fair, the migration was a rush job on the firm's part which really contributed to the sloppiness. I have a headache.</rant>

Zvi