OS and Software > No, I Will Not Fix Your #@$!! Computer > Nitro monitoring of Active Directory (2008R2)

Nitro monitoring of Active Directory (2008R2)

Wouldn't they only need Server Admin rights? If you wanted to get granular I would definitely check with Nitro and see if they have a User Rights Assesment/Security Rights permissions list that it needs. It should be included in their documentation
--
Here's the final bullet,
to put our love to death.

A server admin (as the domain is configured now) can't log into the directory controller.

I'll see if they have more/better docs on this subject. Thanks for the tip.

reply to ke4pym
Two options...

Setup Security Log security rights as outlined here »support.microsoft.com/kb/323076

OR

Create a script that will archive your event viewer logs (they should be doing this already...) and then copy those logs out to a place you'll grant their service account read access to.

Edit: TechNet article on using WMI in VBScript to accomplish archiving »technet.microsoft.com/en-us/libr···696.aspx
--
flickr | Of faith, power and glory

A blog post from MS on the subject: »blogs.technet.com/b/janelewis/ar···008.aspx

Also, there's apparently a built-in group for Server 2008 called "Event Log Readers" or so that post says.

I have no access to Server 2008 boxen here, so go nuts.
--
flickr | Of faith, power and glory

Yes Server 2008 does have a group called "Event Log Readers"

reply to ke4pym
Holy crap, you guys rock. I totally missed that group when I was browsing the list yesterday.

Granted the priv, we'll see what happens. Those crazy security guys like to sleep in late! :*)

Update - that group didn't cut it. Gave them domain admin and BAM! It worked. Now we have to figure out what about DA works and event log viewer doesn't.

Well, there's a number of issues that we're talking about.

The software could easily be making WMI calls that don't work because that Event Log Reader group doesn't have permissions.

Can they accept .evt files from the logs being archived? This is the easiest solution, IMO. Then again, I like scripting.
--
flickr | Of faith, power and glory

We spoke with Nitro support and they indeed are making WMI calls. I've done some research on the links above and a few others I found with my Googlefoo and none of those worked.

So, I gave up and opened a case with Microsoft. I'll let them do it. I will post the results here for prosperity and the next soul to stumble on it.

You must work in super large enterprise with support hours to burn!

We are in a similar position. We've got Splunk for log mgmt and I love it.. Trying to get it hooked up to more stuff but I am the lowest man on the totem pole.
--
flickr | Of faith, power and glory

reply to ke4pym
I would just have told them "your the security group, you must understand about least privilege rights. Come back when your software doesn't require the keys to the castle to read logs"

I can't stand the "let's tell our compliance/auditing/security group to shove it" mentality that I see over and over again.

They need access to the logs. Be the SA you should be and work with them to figure out how to make that happen.
--
flickr | Of faith, power and glory

They may need access to the logs, but I should not have to compromise the very security they want to audit to give it to them.

Except telling them to go take a flying leap is (almost) never the correct solution.

It's your job as a SA to provide solutions to issues/requests.

As for this particular issue, there's ALREADY a solution if, for whatever reason, they're unable to pull the logs...

Script out (using PSH or VBS) the archival of the event logs to a share that is accessible by that log management utility. No special permissions required.
--
flickr | Of faith, power and glory

Except, I can understand the security group's resistance to the exported logs. No way of knowing if they have been tamperd with.

The real solution is software that does not require Domain Admin.

Write protected directory that only DA/EAs can write to, read-only for the service account the software will use. R/W to the service account used for dumping the logs.

That's no less secure than the current system.

In reality, it's probably an easily solved problem that's won't require DA to run at log management software.

FWIW, I work in an extremely security conscious environment and even we allow log shipping in the fashion I've described.
--
flickr | Of faith, power and glory

reply to ke4pym
Update on this.

I've stumped Microsoft. Had to run a network trace and a process mon trace for them yesterday.

Writing files out to disk isn't an option.

Why not?