In this real-training webinar I’ll show you how to use the Windows security log to track and respond to what I consider the 8 most important changes in Active Directory that can affect security and availability:
1. Modification to a Group Policy Object
2. Permissions Change to an Organizational Unit
3. Group policy object links changed on an Organizational Unit
4. Organizational Unit deleted
5. Group Policy Object deleted
6. Trust relationships changed
7. Membership change to privileged group (Enterprise Admins, etc)
8. Domain audit policy changed
9. Domain account policy changed
10. New domain controller
Catching these changes requires enabling 3 different audit categories on your domain controllers and configuring audit policy on group policy objects, organizational units and several groups. I’ll show you how to do all of that live and then we’ll find the actual events in the security log. I’ll also show you how the process is different on Windows Server 2008 with its new security log and audit policies.
Then I will interview Chris Petersen, CTO and Founder of LogRhythm, on how LogRhythm’s log management and SEM solution alerts and reports on security critical Active Directory changes and the LogRhythm approach in general. Chris Petersen has a quite a background in infosec and you can see that in the LogRhythm solution.