1 Reply Latest reply on Dec 6, 2018 5:35 AM by phoffmann

    Security Agent Setting (audit)

    brad.e.smith Apprentice

      We have had a report of a security setting for device control that was changed recently. The "saved by" is NT Authority\ISUR. Is this a false alarm (from what we are told, no one with access has touched this setting)? Is there a way to see (maybe on the db level) hwo changed that setting?

       

      Ivanti 2017.3

        • 1. Re: Security Agent Setting (audit)
          phoffmann SupportEmployee

          So - "seeing on a DB level" would be unlikely, as chances are what you'd see is "the LANDesk / EPM user" doing the change.

           

          We're not using NT-authentication for the DB (but SQL) ... so "once you're authenticated with EPM", all reads / changes & such are handled via "the EPM account" (and it's EPM that checks / verifies that you actually have access / the required scope/role for the thing you're trying to do).

           

          The IUSR account is an IIS user account ... mildly curious / surprised to see that go through / be logged, as the web console *DOES* make use of NT Authentication (so you may want to check the IIS logs around that time ... to at least get client IP's and/or login SID's potentially).

           

          GOTCHA -- be mindful that IIS logs are generally written in GMT, so adjust for your own timezone.

           

          If you're not sure how to read an IIS log, there's a few pages on that in the PPT I've created for this -- [Tech Brief On-Demand Webinar 2016] Provisioning with LANDESK Management Suite -- (I go over this in the video itself, so you can just fast forward to that section). It's not hard to pick up .