Consolidating windows domains
This architecture then forms a part of the set-up needed for our Cred Defense Toolkit.
Also, there are some environments where deploying yet another agent to Windows endpoints may not be desirable.
Derek Banks // I want to expand on our previous blog post on consolidated endpoint event logging and use Windows Event Forwarding and live off the Microsoft land for shipping events to a central location. I wanted a Windows-based server with all of the event logs from the environment so that I could use Power Shell for analysis purposes.
It extends the endpoint’s logging capability beyond the standard event logs.
Turn on Windows Remote Management (WS-Management) Service via GPO The Windows Remote Management (WS-Management) service will need to be started on all the systems that will forward events.
Note that they do not need to be listening on HTTP or HTTPS – the only system that needs that needs to be listening and have firewall rules configured is the WEF server.
Alternatively, you could just use “Domain Computers” if you are in a testing environment.
Otherwise, using all computers in your environment to initially set up may not be the best idea.