Introduction IT service unavailability can be caused by many reasons, and one of them is accidental or malicious deletion of DNS recor...
Introduction
IT service unavailability can be caused by many reasons, and one of them is accidental or malicious deletion of DNS records. For instance, after the deletion of Domain Controller DNS record users will be not able to log in. Deletion of SharePoint server DNS record will make internal corporate resources unavailable. Regular monitoring of DNS record deletions will help IT administrators readily respond to such incidents.
http://start.netwrix.com/how_to_monitor_deletion_of_dns_records.html
Steps (6 total)
Run GPMC.msc → edit “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → go to “Properties” of Audit directory service access → Define → Success.
Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → in “Properties” of below mentioned policies define:
Maximum security log size to 4gb
Retention method for security log to Overwrite events as needed.
Maximum security log size to 4gb
Retention method for security log to Overwrite events as needed.
Open ADSI Edit → Connect to Default naming context → Expand DomainDNS object with the name of your domain → System → Right сlick MicrosoftDNS → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and all descendant objects” → Permissions → Select the following check boxes: Write all properties, Delete, Delete subtree → Click “OK”.
Open DNS Manager → Expand your servername → Forward Lookup Zone → Right click the zone you want to audit → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and all descendant objects” → Permissions → Select the following check boxes: Write all properties, Delete, Delete Subtree → Click “OK”.
Look for Event ID 4662 with Object Type: dnsNode in your Security Event log in order to track DNS records deletion.
No comments
Post a Comment