Meeting the InCommon Assurance profile criteria using Active Directory

["Rank, Mark" <>]

I vote yes... I seem to remember a thread that included some pointers to AD event log codes from one of the folks ( Brian ??? )...

Mark

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of Ann West []
Sent: Wednesday, July 10, 2013 11:38 AM
To:
Subject: [AD-Assurance] FW: AD monitoring for failure codes and insecure protocols

Hi All,

Is it appropriate to loop Brett into our discussion and discuss his questions on an upcoming meeting?

Ann

From: Brett Bieber <>
Reply-To: Brett Bieber <>
Date: Wednesday, July 10, 2013 12:32 PM
To: Ann West <>
Subject: AD monitoring for failure codes and insecure protocols

Hi Ann,

I'm hoping you can put me in contact with someone looking at the AD alternative means. I'm looking for assistance identifying the proper event codes from the domain controller security logs.

My suspicion is that any institution that is not willing to shut down the insecure AD protocols will need to take the approach Chicago has taken, e.g. monitor and remediate. I'm hoping that we can come to consensus on all the AD event codes to monitor, and perhaps some standard monitoring scripts via powershell or Splunk etc to pull those events out and then perform the appropriate IAQ degradation actions.

Thanks for any info you could provide.

--
Brett Bieber
University of Nebraska-Lincoln