Dear experts,
I would like to know if there is a smart way to monitor admin actions on endpoint ?
by “admin” actions I mean:
- Microsoft UAC “requests” for priviledge action toward user
- Usage of user account with admin rights (in the case of user authenticate with admin account, or use admin account in a UAC request
- non system administrator action authorised
the Aim is to:
- be able to receive an alert when a user accept UAC or input admin account in UACuac and to know for which process it was requested
- track in audit report this kind of actions to investigate in case of security issue.
I found some site speaking about that:
http://stackoverflow.com/questions/8134195/which-events-are-triggered-on-a-uac-prompt
having to enable some local security policies to record those events, maybe the solution is here, maybe your comodo endpoint already track this kind of actions and report it somewhere, I did not found it.
Thank you.