Tiny Deathstars of Foulness

Especially in environments with files in Google Docs, Dropbox, Box, Wikis, file servers, portals and any other place that makes it hard to aggregate exactly what you need.

May 30th, 2014

Posted In: cloud, Mac OS X Server

Tags: , , , , ,

The default logs in Windows Server can be tweaked to provide a little better information. This is really helpful, for example, if you’re dumping your logs to a syslog server. Here’s a script that can make it happen with a few little tweaks to how we interpret data (to be run per host, just paste into a Powershell interface as an administrator): auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Logoff" /success:enable /failure:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable auditpol /set /subcategory:"File System" /success:enable /failure:enable auditpol /set /subcategory:"Registry" /success:enable /failure:enable auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable auditpol /set /subcategory:"SAM" /success:disable /failure:disable auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable auditpol /set /subcategory:"File Share" /success:enable /failure:enable auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable eventviewer

April 23rd, 2014

Posted In: Windows Server

Tags: , , , , , , , , , , ,