Export (0) Print
Expand All

Enabling Monitoring for Anonymous Active Directory Access

Updated: December 2, 2007

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

You can enable monitoring for anonymous access through audit settings on the Active Directory object CN=Server,CN=System,domain,DC=…ForestRootDomain. The audit settings ensure that a Security audit log event is generated whenever an application or service attempts to list or read domain data in Active Directory with anonymous access. The most common generators of these events are applications or services, such as Routing and Remote Access Service, that are running on Windows NT 4.0 domain controllers or on member servers in the context of Local System.

noteNote
In addition to these audit settings, the Audit directory service access audit policy must be configured to audit successful access to the directory. Success events for directory service access are audited by default in Windows Server 2003.

Requirements

  • Credentials: Domain Admins

  • Tools: ADSI Edit (Windows Server 2003 Support Tools)

To enable monitoring for anonymous Active Directory access

  1. Log on to a domain controller in the root domain by using an account with Domain Admins credentials.

  2. Click Start, click Run, type adsiedit.msc, and then click OK.

  3. In the console tree, double-click the domain, and then click the System container.

  4. In the details pane, right-click Server, and then click Properties.

  5. On the Security tab, click Advanced.

  6. On the Auditing tab, click Add.

  7. In the Enter the object name to select box, type anonymous, and then click OK.

  8. In the Auditing Entry for Server dialog box, set the auditing entries shown in Table 45.

Table 45 Audit Settings for CN=Server,CN=System,DC= domain ,DC=… ForestRootDomain

 

Type Name Access Apply Onto

Success

Anonymous

Read All Properties

This object only

Success

Anonymous

Enumerate Entire SAM Domain

This object only

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft