some security requirements - how to comply

  • Thread starter Thread starter Juan Carlos
  • Start date Start date
J

Juan Carlos

Hi:

I have some requirements for a software and I don't know how to
use/configure Active Directory (or whatever) to comply them or the best way
to do it. I have no experience with Active Directory.

The following are the requirements:
1) Configure a maximum "idle" status of a session: if a user logs in and
does not use the PC for a certain time the user must be logged off
automatically.
2) Make the system users "expire" automatically when a certain
(configurable) time has passed since the last time the user logged in.
3) Audit the user management (creation/deletion/modification) by
administrators to record all modifications and authors of those
modifications.

For 1) a way may be using a screen saver configured to auto log-off after a
certain time, but I don't know how to configure a default screen saver for a
group of users (and make those users unable to modify it) . May be using
logon scripts and some registry stuff?
For 2) I've seen out there that the "LastLogonTime" or something like that
is recorded for all users, but I don't know a good way to automatically make
this.
For 3) there is a way (policy) that windows "events" are generated when
Active Directory objects are modified. Is that a good way?

I'd really appreciate your help.

Juan Carlos
 
Juan said:
Hi:

I have some requirements for a software and I don't know how to
use/configure Active Directory (or whatever) to comply them or the best way
to do it. I have no experience with Active Directory.

The following are the requirements:
1) Configure a maximum "idle" status of a session: if a user logs in and
does not use the PC for a certain time the user must be logged off
automatically.
2) Make the system users "expire" automatically when a certain
(configurable) time has passed since the last time the user logged in.
3) Audit the user management (creation/deletion/modification) by
administrators to record all modifications and authors of those
modifications.

For 1) a way may be using a screen saver configured to auto log-off after a
certain time, but I don't know how to configure a default screen saver for a
group of users (and make those users unable to modify it) . May be using
logon scripts and some registry stuff?
For 2) I've seen out there that the "LastLogonTime" or something like that
is recorded for all users, but I don't know a good way to automatically make
this.
For 3) there is a way (policy) that windows "events" are generated when
Active Directory objects are modified. Is that a good way?

I'd really appreciate your help.

Juan Carlos
Click to expand...

1) - Be useful if Scheduled Tasks had a "when idle for x minutes" or
something
2) - Theres a last modified property in AD somewhere, but I honestly
cant find it now. I did find a little program once that would go through
AD and list when people last logged on etc. So it does exist and is
possible. Search around a lot. Could write some VB to do it, and then
disable the accounts I guess.
3) - actually done this one! You can get your DCs to generate security
messages when an account is created, modified, deleted etc. Then set up
a VB script and an SQL (or access) DB that will import them into the
database. Schedule this occasionally. Write some asp and make the
database searchable. There was an article on MS's site somewhere about
how to import even logs into SQL
 
1) The screen saves is an option, and you can easily set the same screen
saver for all users or a subset of users using Group Policy. Note two
things, however: first, you will have to distribute the screensaver file(s)
to all computer prior to enforcing these settings in GP. Second, you may
have other requirements that need you to use screensaved in a more
traditional way - to "lock workstation" after a certain amount of idle time,
and then you will have to choose between those two.
2) Yes, you can use lastlogon attribute on a user account to check last
logon time. One thing to take into account here: this attribute is not
replicated between DCs, so you will have to query all DCs for a particular
domain and query the value of this attribute from all DCs for every user
account in your code.
3) Configuring audit on Active Directory objects will help you to get
certain events recorded in a DC security event log. Again, if you want a
complete picture here, you will have to query security event logs from all
DCs in the same domain and combine this information before interpreting - as
the event gets logged only on the DC which performed the operation being
audited (such as account creation, modification etc).

Hope that helps.
 
Back
Top