This entire area is very extensive and complex. For each type of event, we would need to study the functioning in detail and prepare processing accordingly. Many events are critical for security and should be monitored (certain standards and recommendations, such as ISO 27001, the Cybersecurity Act, etc., may require this). It's a pity that Microsoft doesn't have a general solution prepared that would process the most common areas. There are various paid third-party products, and it may be worth investing in them rather than solving everything with our own efforts and free tools (as described in this article).
The article will generally look at setting up auditing and individual categories of security events. We will describe various options for viewing and automatically processing logs. In the second half, we will look at some practical events (areas) that are good to monitor. The selected areas and events contain my description, which may not be optimal; many things can be solved better. Overall, we will focus on newer versions of Windows and events related to AD DS on domain controllers.
In Windows Server 2008 R2 (and related Windows 7), there were changes in the auditing settings and also in the event IDs that are logged (more precisely, the changes occurred with Windows Server 2008 and Vista). Since then, everything has been more or less the same, only more details or new subcategories have been added (referring to newer versions of Windows Server 2012 and 2016).
Windows security auditing in domain
The whole process consists of several steps:
- enabling auditing of required categories
- selecting important events
- processing and filtering important records
In the second part of the article, there are examples of practical situations, including
Enabling (setting up) auditing using Group Policy
In the basic settings, only certain operations are logged in Windows, so it is good to set up an Audit Policy, where we choose more detailed categories for monitoring. We need to consider what we want to monitor on workstations, servers, and domain controllers. If we enable logging of everything, the server may become overloaded because it can be an enormous number of events every second. It is also complicated because common operations, such as user login or creating a computer account in AD DS, consist of several sub-events. Therefore, log processing is very demanding.
Using Group Policy, we have two options for selecting the categories of events we want to audit:
- Audit Policy - basic security audit policies, the original option, allows setting only entire categories and choosing successful (Success) or unsuccessful (Failure) events
- Advanced Audit Policy - advanced security audit policies, available from Windows 7, allows selecting specific subcategories (behaviors) within each category and setting additional details, again logging successful (Success) or unsuccessful (Failure) events
Official information Security Auditing Overview, Windows 10 Security auditing, Windows Server 2008 R2 Security Auditing.
We configure group policies classically using Group Policy Management and Group Policy Management Editor. We create a new GPO or use an existing one and link it according to the target computers. For domain events on DCs, we can use the Default Domain Controllers Policy, for settings within the entire domain, the Default Domain Policy. Alternatively, we can set it using a local policy. It is advisable to target the settings only where we want to use them.
For the category we want to monitor, we set Define these policy settings and choose whether we want to log successful (Success) or unsuccessful (Failure) events or both. For subcategories, we similarly set Configure the following audit events and choose Success or Failure or both. The events are then stored in the Windows Security log.
Basic Security Audit Policies
Note: For reference only, we will focus only on advanced audit policies.
The settings are located in the path Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/
Available items
- Audit account logon events
- Audit account management
- Audit directory service access
- Audit logon events
- Audit object access
- Audit policy change
- Audit privilege use
- Audit process tracking
- Audit system events
Advanced Security Audit Policies
The settings are located in path Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policy/
< /p>
In the given path, we open the main categories (which correspond to basic policies) and set subcategories below them. The List of items below should match Windows 10 (a few new subcategories have been added over time).
- Account Logon
- Audit Credential Validation
- Audit Kerberos Authentication Service
- Audit Kerberos Service Ticket Operations
- Audit Other Account Logon Events
- Account Management
- Audit Application Group Management
- Audit Computer Account Management
- Audit Distribution Group Management
- Audit Other Account Management Events
- Audit Security Group Management
- Audit User Account Management
- Detailed Tracking
- Audit DPAPI Activity
- Audit Process Creation
- Audit Process Termination
- Audit RPC Events
- Audit Plug and Play Events
- Audit Token Right Adjusted Events
- DS Access
- Audit Detailed Directory Service Replication
- Audit Directory Service Access
- Audit Directory Service Changes
- Audit Directory Service Replication
- Logon/Logoff
- Audit Account Lockout
- Audit IPsec Extended Mode
- Audit IPsec Main Mode
- Audit IPsec Quick Mode
- Audit Logoff
- Audit Logon
- Audit Network Policy Server
- Audit Other Logon/Logoff Events
- Audit Special Logon
- Audit User / Device Claims
- Audit Group Membership
- Object Access
- Audit Application Generated
- Audit Certification Services
- Audit Detailed File Share
- Audit File Share
- Audit File System
- Audit Filtering Platform Connection
- Audit Filtering Platform Packet Drop
- Audit Handle Manipulation
- Audit Kernel Object
- Audit Other Object Access Events
- Audit Registry
- Audit SAM
- Audit Removable Storage
- Audit Central Policy Staging
- Policy Change
- Audit Audit Policy Change
- Audit Authentication Policy Change
- Audit Authorization Policy Change
- Audit Filtering Platform Policy Change
- Audit MPSSVC Rule-Level Policy Change
- Audit Other Policy Change Events
- Privilege Use
- Audit Non-Sensitive Privilege Use
- Audit Sensitive Privilege Use
- Audit Other Privilege Use Events
- System
- Audit IPsec Driver
- Audit Other System Events
- Audit Security State Change
- Audit Security System Extension
- Audit System Integrity
- Global Object Access Auditing
- File System (Global Object Access Auditing)
- Registry (Global Object Access Auditing)
Enforcing the use of Advanced Security Audit Policies
If we want to use Advanced Security Audit Policies instead of Basic, Microsoft states that we should enable the policy Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
in the path Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/ Security Options
This is because the Basic policy takes precedence, and if it were set, it would override the Advanced settings.
AuditPol Tool
Since Windows Server 2008, the command-line tool auditpol.exe has been available. Before the arrival of Windows Server 2008 R2, it was the only way to set Advanced Security Audit Policies. Today, we might prefer to use Group Policy, but this command is still useful because it lists the available subcategories on the given operating system. Additionally, we can view the current settings (which should include the default enabled items and what we manage through policies or otherwise).
auditpol /get /category:*
Event Log Settings
When setting up the audit of selected events, it is good to configure the parameters of the system event logs (we are now interested in the Security log). In group policies, the settings are located in the path
Computer Configuration/Policies/Windows Settings/Security Settings/Event Log
It is advisable to set the Maximum security log size
to a larger value (for domain controllers) as needed, for example, 1 GB (1048576). And set the Retention method for security log
to Overwrite events as needed
.
Logged Events
Using policies, we have set the auditing of certain categories and subcategories that interest us. For each subcategory, a whole range of individual events is logged. Before Windows Server 2008, three-digit numbers were used as Event IDs (e.g., account login event 528). Since Windows Server 2008, renumbering has been used, and events have four digits (e.g., account login event 4624). This corresponds to all the information on the web and my practical tests. Interestingly, the official page Audit logon events lists old events for Windows 10. The correct list is probably found a bit lower in the menu Audit Logon.
Compiling a list of all events for various categories means quite complex documentation browsing Security auditing (although the search by EventID works nicely). I have now found an official document that contains a list of all categories from Advanced Security Audit Policies and their individual events with detailed descriptions. The document can be downloaded Windows 10 and Windows Server 2016 security auditing and monitoring reference.
Event Processing
We have enabled the logging of certain categories. We have determined which individual events interest us. Now we need to perform some automatic processing because manually browsing all logs is really unrealistic.
If we have multiple domain controllers (generally servers), it is useful to get all interesting logs in one place and process them centrally. There are many options, some free, others paid. We can use the native features of Windows Server, use a Syslog server, or another tool in the SEM (Security Event Management) or SIEM (Security Information and Event Management) category.
Centralized Event Log in Windows
Since Windows Server 2008 and Windows Vista, we can set one machine as a Windows Event Collector that will collect events. And on others, set the forwarding of selected events to the collector using Windows Event Log Forwarding (supported since Windows Server 2003 SP 1 and Windows XP SP 2). We have two methods to get events to the central machine:
- Collector initiated - the collector queries the source computers, using WinRM
- Source initiated - source computers send events to the collector as needed
More information
- Setting up a Source Initiated Subscription on an Event Collector Computer
- Configure Event Log Forwarding in Windows Server 2012 R2
- How to configure Windows Event Log Forwarding
- 14. How to configure Centralized Event Logs in Windows Server 2016 (Step by Step guide)
Syslog Server
Syslog is an old standard for logging messages, widely used in Linux. It has a defined message format and transmission (using UDP port 514 or TCP port 6514). Applications and devices commonly support sending events to a Syslog server, but Windows does not have such support. However, we can find third-party tools that provide this. An example is Snare Agent, which was previously Open Source and we can still get an older version for free. We can relatively precisely set which events with which parameters we want to send to the Syslog server.
Viewing Event Logs - Event Viewer
We have collected logs in one place (or we have only one server and are directly on it). If we want to view the information, the simplest way is to use Event Viewer. Here we can display, filter, and search individual records. We can export certain/all records and import them elsewhere. We can also set a scheduled task that reacts to the logging of a certain event and, for example, runs a script (or sends an email, which MS now marks as deprecated).
Security logs in Event Viewer are located under Windows Logs - Security, if we use a centralized collector, then Forwarded Events. We can also create a defined view into the logs under Custom Views. We can filter the displayed records in the log in detail using the Filter Current Log option.
In the filter, we can set a number of parameters, such as displaying only certain Event IDs. If we set Event sources to Microsoft Windows security auditing, we can select individual subcategories that we set in Advanced Security Audit Policies in the Task category field. This will display all events that fall under the given category.
In this simple filter, filtering by User or Computer does not work. If we want to display only events related to a specific user, we need to define the filter using XML. Some information can be found in Advanced XML filtering in the Windows Event Viewer.
Processing logs using PowerShell
If we want to process logs automatically, it is more suitable to use a script. In the Microsoft environment, we have PowerShell and the cmdlet Get-EventLog or the newer (but not always suitable) Get-WinEvent. This allows us to, for example, run a script every hour that processes logs from the last hour. It filters events that interest us in detail, parses the message, and includes only interesting data in a clear form in the output, and perhaps sends the result via email.
Note: We can also call log processing for remote servers, so it may not be necessary to copy logs to a central location.
Below are a few simple examples of using Get-EventLog
. The first example outputs the detailed last event from the Security log where the word bouska appears in the text.
Get-EventLog -Newest 1 -LogName "Security" -Message "*bouska*" | FL *
Output of events with Event ID 4624 from the last hour, if the name bouska appears in the text.
Get-EventLog -LogName "Security" -InstanceId 4624 -After (Get-Date).AddHours(-1) -Message "*bouska*" | FT * -AutoSize
The output contains various attributes, the important ones being EventID with the event number (may correspond to InstanceId), Message, which is the content of the event, and ReplacementStrings, which contains an array of variable attributes from the event (i.e., parsed Message). The following command selects only certain data from the last record in the Security log.
Get-EventLog -Newest 1 -LogName "Security" -InstanceId 4624 | Select-Object TimeWritten, MachineName, EventID, @{Name="EventName";Expression={($_.Message -split '\n')[0]}}, @{Name="AccoutName";Expression={$_.ReplacementStrings[5]}}, @{Name="WorkstationName";Expression={$_.ReplacementStrings[11]}}, @{Name="SourceNetworkAddress";Expression= {$_.ReplacementStrings[18]}}
Processing logs in Linux Syslog
Linux users like to use a Syslog server where we can also send events from Windows. Syslog can store selected events in a text file in a standard format, where each event is on one line and has a specific format. Here we find information about the event time, source (computer, process), message ID (Event ID), severity level, and the actual message content. This text file can be very easily processed by a script. We can either use regular expressions or simply the position of words on the line (delimiter space). For parsing, we can use a scripting language like AWK for text processing.
A simple bash script can read individual lines of the file. The fifth word contains the Event ID, so for different events, we can call different functions that perform processing and a certain reaction. We select only certain information from the message and save the new line to a text file. Then we can go through the temporary file and group the same events, only indicating the number of occurrences. And send the result via email.
An example of a piece of code using AWK that simply processes event 4625:
FA_LINE=$@ ID=`echo $FA_LINE | awk '{print $5}'` case "$ID" in '4625') TEXT=`echo $FA_LINE | awk '{ print $1," ",$2," ",$3," | ",$56," Logon Session " if($66 == "0xc0000234") print "Locked" if($66 == "0xc000006d") print "Bad User or Password" print " | ",$4," ",$5," ",$24," ",$25," ",$26," ",$27," ",$28," ",$29," ",$54," ",$55," ",$56," " print $65," ",$66," ",$67," ",$68," ",$69;" ",$82," ",$83," ",$84," ",$85," ",$86," ",$87," ",$88 }'` esac
Specialized Applications
There are also various specialized applications that process security logs. They are usually paid and focused on a specific area. They can typically download event logs from various servers or use their own agents. They analyze events and store them in a database, offering a clear interface for searching for specific operations, such as user login history. We can also set up alerts to notify us of certain events.
I haven't tried any myself, but I came across these applications:
- LepideAuditor
- Netwrix Auditor for Active Directory
- Supercharger Free - I found this software later, which has a free version, and the Resources section contains videos with deployment examples
Practical Examples of Monitoring Events
Generally, we have about three categories of events we want to monitor:
- common events where it is useful to have a history - for example, a user locked their account
- alerts for some privileged operation - a new account was created in AD DS, a domain admin account logged in somewhere - usually a legitimate operation, but it's good to be alerted
- errors, problems, and breaches - many login attempts with incorrect credentials (usually resulting in a locked account), system service failures
There are again many ways to monitor selected events. The simplest is to send reports to email, where the history remains for a certain period. Better is to store data in a database and have a web interface for searching and defined reports and statistics. And only send important alerts to email/SMS. If we want to check all filtered information (e.g., in an email), it should be sent in a reasonably compact and clear form so that we can quickly see what happened.
Note: Overall, it is very difficult to find which categories and events are important to analyze for a specific activity. I haven't found any reasonable articles describing this (the document Windows 10 and Windows Server 2016 security auditing and monitoring reference contains recommendations for each event, but it's not feasible to go through it all). Below are some of my suggestions, which certainly won't be perfect. I welcome your experiences in the comments.
Creating, Modifying, and Deleting Objects in AD DS
In a typical company, creating or deleting objects in AD DS doesn't happen very often, so it's good to be alerted when something like this occurs. In extreme cases, it alerts us to malicious activity; otherwise, it provides an overview if multiple admins manage AD DS.
For these purposes, we have two categories of policies available (documentation Advanced security audit policy settings):
- Account Management - can be used to monitor changes to user and computer accounts and groups, things like creating, deleting, locking, resetting passwords; on a domain controller, it concerns domain accounts, on a member computer, it concerns local accounts
- Directory Service Access - provides detailed auditing of changes to objects in AD DS (Active Directory Domain Services) and access to attributes, also monitors OUs, applies only to DCs
Monitoring Accounts and Groups - Account Management
The Account Management category contains the following subcategories and events:
- Audit User Account Management - user account management, password changes, etc.
- Event ID 4720 - A user account was created
- Event ID 4722 - A user account was enabled
- Event ID 4723 - An attempt was made to change an account's password
- Event ID 4724 - An attempt was made to reset an account's password
- Event ID 4725 - A user account was disabled
- Event ID 4726 - A user account was deleted
- Event ID 4738 - A user account was changed
- Event ID 4740 - A user account was locked out
- Event ID 4765 - SID History was added to an account
- Event ID 4766 - An attempt to add SID History to an account failed
- Event ID 4767 - A user account was unlocked
- Event ID 4780 - The ACL was set on accounts which are members of administrators groups
- Event ID 4781 - The name of an account was changed
- Event ID 4794 - An attempt was made to set the Directory Services Restore Mode
- Event ID 4798 - A user's local group membership was enumerated
- Event ID 5376 - Credential Manager credentials were backed up
- Event ID 5377 - Credential Manager credentials were restored from a backup
- Audit Computer Account Management - computer account management
- Event ID 4741 - A computer account was created
- Event ID 4742 - A computer account was changed
- Event ID 4743 - A computer account was deleted
- Audit Distribution Group Management - management of distribution groups
- Event ID 4744 - A security-disabled local group was created
- Event ID 4745 - A security-disabled local group was changed
- Event ID 4746 - A member was added to a security-disabled local group
- Event ID 4747 - A member was removed from a security-disabled local group
- Event ID 4748 - A security-disabled local group was deleted
- Event ID 4749 - A security-disabled global group was created
- Event ID 4750 - A security-disabled global group was changed
- Event ID 4751 - A member was added to a security-disabled global group
- Event ID 4752 - A member was removed from a security-disabled global group
- Event ID 4753 - A security-disabled global group was deleted
- Event ID 4759 - A security-disabled universal group was created
- Event ID 4760 - A security-disabled universal group was changed
- Event ID 4761 - A member was added to a security-disabled universal group
- Event ID 4762 - A member was removed from a security-disabled universal group
- Event ID 4763 - A security-disabled universal group was deleted
- Audit Security Group Management - security group management
- Event ID 4727 - A security-enabled global group was created
- Event ID 4728 - A member was added to a security-enabled global group
- Event ID 4729 - A member was removed from a security-enabled global group
- Event ID 4730 - A security-enabled global group was deleted
- Event ID 4731 - A security-enabled local group was created
- Event ID 4732 - A member was added to a security-enabled local group
- Event ID 4733 - A member was removed from a security-enabled local group
- Event ID 4734 - A security-enabled local group was deleted
- Event ID 4735 - A security-enabled local group was changed
- Event ID 4737 - A security-enabled global group was changed
- Event ID 4754 - A security-enabled universal group was created
- Event ID 4755 - A security-enabled universal group was changed
- Event ID 4756 - A member was added to a security-enabled universal group
- Event ID 4757 - A member was removed from a security-enabled universal group
- Event ID 4758 - A security-enabled universal group was deleted
- Event ID 4764 - A group's type was changed
- Event ID 4799 - A security-enabled local group membership was enumerated
- Audit Other Account Management Events - special access to user accounts
- Event ID 4782 - The password hash for an account was accessed
- Event ID 4793 - The Password Policy Checking API was called
- Audit Application Group Management - use Authorization Manager, we probably won't meet in practice
- Event ID 4783 - A basic application group was created
- Event ID 4784 - A basic application group was changed
- Event ID 4785 - A member was added to a basic application group
- Event ID 4786 - A member was removed from a basic application group
- Event ID 4787 - A non-member was added to a basic application group
- Event ID 4788 - A non-member was removed from a basic application group
- Event ID 4789 - A basic application group was deleted
- Event ID 4790 - An LDAP query group was created
- Event ID 4791 - An LDAP query group was changed
- Event ID 4792 - An LDAP query group was deleted
From this list we have to choose the events that interest us. It's best to list the real records and see what their contents look like. For example, if we monitor the event 4742 (A computer account was changed), we will find that in most cases it is a change of the computer's password. If we store the events somewhere in the DB and have an interface for filtering, then we will definitely store more records. If we only send to e-mail (and we don't have decently intelligent parsing), we select fewer events in order to have an overview of the messages.
Example of event group selection:
- Users (User)
- Event ID 4720 - A user account was created
- Event ID 4722 - A user account was enabled
- Event ID 4725 - A user account was disabled
- Event ID 4726 - A user account was deleted
- Event ID 4740 - A user account was locked out
- Event ID 4767 - A user account was unlocked
- Event ID 4781 - The name of an account was changed
- Computers (Computer)
- Event ID 4741 - A computer account was created
- Event ID 4743 - A computer account was deleted
- Distribution groups (Distribution Group - Local, Global, Universal)
- Event ID 4744 - A security-disabled local group was created
- Event ID 4746 - A member was added to a security-disabled local group
- Event ID 4747 - A member was removed from a security-disabled local group
- Event ID 4748 - A security-disabled local group was deleted
- Event ID 4749 - A security-disabled global group was created
- Event ID 4751 - A member was added to a security-disabled global group
- Event ID 4752 - A member was removed from a security-disabled global group
- Event ID 4753 - A security-disabled global group was deleted
- Event ID 4759 - A security-disabled universal group was created
- Event ID 4761 - A member was added to a security-disabled universal group
- Event ID 4762 - A member was removed from a security-disabled universal group
- Event ID 4763 - A security-disabled universal group was deleted
- Bezpečnostní skupiny (Security Group - Local, Global, Universal)
- Event ID 4727 - A security-enabled global group was created
- Event ID 4728 - A member was added to a security-enabled global group
- Event ID 4729 - A member was removed from a security-enabled global group
- Event ID 4730 - A security-enabled global group was deleted
- Event ID 4731 - A security-enabled local group was created
- Event ID 4732 - A member was added to a security-enabled local group
- Event ID 4733 - A member was removed from a security-enabled local group
- Event ID 4734 - A security-enabled local group was deleted
- Event ID 4754 - A security-enabled universal group was created
- Event ID 4756 - A member was added to a security-enabled universal group
- Event ID 4757 - A member was removed from a security-enabled universal group
- Event ID 4758 - A security-enabled universal group was deleted
- Event ID 4764 - A group's type was changed
Everywhere we follow a Success event. Only for 4723 and 4724 we could monitor Failure.
List of selected events 4720, 4722, 4725, 4726, 4740, 4767, 4781, 4741, 4743, 4744, 4746, 4747, 4748, 4749, 4751, 4752, 4753, 4759, 4761 4762, 4763 , 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4754, 4756, 4757, 4758, 4764
.
The next step is to parse the output of individual events. It is best to write down all the individual events and mark the parts of the text that interest us. We can find that there are groups of messages that have a similar structure, so we can parse them all at once. Example of two events below.
May 16 16:01:14 pdc.firma.local 4720 MSWinEventLog 4 Security 5729 Wed May 16 16:01:14 2018 4720 Microsoft-Windows- Security-Auditing Unknown User N/A Success Audit pdc.firma.local 13824 A user account was created. Subject: Security ID: S-1-5-21-2200562112-1594429334-7036 Account Name: SERVER$ Account Domain: FIRMA Logon ID: 0x5dc3e7 New Account: Security ID: S-1-5-21-2200562112--1594429334-14222 Account Name: bouska Account Domain: FIRMA Attributes: SAM Account Name: bouska Display Name: Bouška Petr User Principal Name: bouska@firma.local Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: - SID History: - Logon Hours: %%1793 Additional Information: Privileges - May 16 16:01:14 pdc.firma.local 4720 A user account was created. Account Name: SERVER$ Account Name: bouska May 14 01:30:40 pdc.firma.local 4740 MSWinEventLog 4 Security 26515 Mon May 14 01:30:39 2018 4740 Microsoft-Windows- Security-Auditing Unknown User N/A Success Audit pdc.firma.local 13824 A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: PDC$ Account Domain: FIRMA Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-220052112-3866782066-1594429334-13628 Account Name: bouska Additional Information: Caller Computer Name: SERVER May 14 01:30:40 pdc.firma.local 4740 A user account was locked out. Account Name: PDC$ Account Name: bouska Caller Computer Name: SERVER
Tracing AD DS Objects - DS Access
The DS Access category contains the following subcategories and events within them:
- Audit Directory Service Changes - object changes in AD DS
- Event ID 5136 - A directory service object was modified.
- Event ID 5137 - A directory service object was created.
- Event ID 5138 - A directory service object was undeleted.
- Event ID 5139 - A directory service object was moved.
- Event ID 5141 - A directory service object was deleted.
- Audit Directory Service Access - access to an object in AD DS, we can monitor Failure if access fails
- Event ID 4661 - A handle to an object was requested.
- Event ID 4662 - An operation was performed on an object.
- Audit Directory Service Replication - začátek a konec replikace mezi DC, běžně se nesleduje
- Event ID 4932 - Synchronization of a replica of an Active Directory naming context has begun.
- Event ID 4933 - Synchronization of a replica of an Active Directory naming context has ended.
- Audit Detailed Directory Service Replication - replikace mezi DC, běžně se nesleduje
- Event ID 4928 - An Active Directory replica source naming context was established.
- Event ID 4929 - An Active Directory replica source naming context was removed.
- Event ID 4930 - An Active Directory replica source naming context was modified.
- Event ID 4931 - An Active Directory replica destination naming context was modified.
- Event ID 4934 - Attributes of an Active Directory object were replicated.
- Event ID 4935 - Replication failure begins.
- Event ID 4936 - Replication failure ends.
- Event ID 4937 - A lingering object was removed from a replica.
When we want to monitor changes in AD DS using the Audit Directory Service Changes category, it is not enough to simply enable auditing of selected subcategories, but it is necessary to specifically select operations and objects in AD DS using the SACL (System Access Control List) settings. Therefore, events are generated only for objects that have a configured system ACL, and only for the defined type of access. We can also block auditing of certain objects and properties by modifying the schema.
- using Active Directory Users and Computers, select the object (usually an OU or the entire domain)
- right-click and select Properties
- switch to the Security tab
- click the Advanced button
- switch to the Auditing tab
Here we see the already configured SACL and we can add new rules:
- click the Add button
- select the Principal for whom we want to perform logging, typically Authenticated Users or Everyone if we want it for everyone
- event type Success, Fail, or All
- determine which objects we want to apply it to (then only possible options will be displayed), in Applies to, for example, This object and all descendant objects
- under Permissions, set the operations we want to monitor, for example, Create User objects
- under Properties, we can specify direct access to attributes
We must carefully consider which operation and to what it is applied (Apply onto). For example, creating a new object (user) must be monitored on the parent object (probably an OU). Changing a value must be monitored on the given object as a write property.
Note: It is up to our discretion whether we want to monitor events from Account Management and DS Access. For general monitoring, it may be more manageable and sufficient to select certain events from Account Management, but if we want a detailed overview, we use both.
Unsuccessful and Successful User Login Attempts
Another category of events that may be interesting to monitor is user logins. We may be interested in knowing if a privileged account (such as a domain administrator) logged in somewhere or if there were any invalid login attempts.
Again, we have two categories of audit policies that we can use:
- Account Logon - events related to authentication, on the DC, domain account logins are monitored, this is when a computer verifies the account credentials (logging into a computer in the domain) - Kerberos or NTLM
- Logon/Logoff - events when a user logs on or off a computer (interactive, network, RDP) - always at the start and end of a session
Account Logon includes the following subcategories and events:
- Audit Credential Validation - NTLM user authentication
- 4774(S): An account was mapped for logon
- 4775(F): An account could not be mapped for logon
- 4776(S, F): The computer attempted to validate the credentials for an account
- 4777(F): The domain controller failed to validate the credentials for an account
- Audit Kerberos Authentication Service - Kerberos Ticket Granting Tickets (TGT), only on the DC
- 4768(S, F): A Kerberos authentication ticket (TGT) was requested
- 4771(F): Kerberos pre-authentication failed
- 4772(F): A Kerberos authentication ticket request failed
- Audit Kerberos Service Ticket Operations - Kerberos Service Tickets
- 4769(S, F): A Kerberos service ticket was requested
- 4770(S): A Kerberos service ticket was renewed
- 4773(F): A Kerberos service ticket request failed
- Audit Other Account Logon Events - in some documentation (Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference.docx), it is stated that it is intended for future use, something else is mentioned on the web in Audit Other Logon/Logoff Events - it leads to a subcategory from Logon/Logoff
Logon/Logoff includes the following subcategories and events:
- Audit Logon - creation of logon sessions on the accessed computer
- 4624(S): An account was successfully logged on.
- 4625(F): An account failed to log on.
- 4648(S): A logon was attempted using explicit credentials.
- 4675(S): SIDs were filtered.
- Audit Logoff - user logoff (may not always be logged)
- 4634(S): An account was logged off.
- 4647(S): User initiated logoff.
- Audit Other Logon/Logoff Events - special RDP events, locked station, screensaver, WiFi
- 4649(S): A replay attack was detected.
- 4778(S): A session was reconnected to a Window Station.
- 4779(S): A session was disconnected from a Window Station.
- 4800(S): The workstation was locked.
- 4801(S): The workstation was unlocked.
- 4802(S): The screen saver was invoked.
- 4803(S): The screen saver was dismissed.
- 5378(F): The requested credentials delegation was disallowed by policy.
- 5632(S, F): A request was made to authenticate to a wireless network.
- 5633(S, F): A request was made to authenticate to a wired network.
- Audit Special Logon - logon in special situations
- 4964(S): Special groups have been assigned to a new logon.
- 4672(S): Special privileges assigned to new logon.
- Audit Account Lockout - same event as in Audit Logon
- 4625(F): An account failed to log on.
- Audit User/Device Claims
- 4626(S): User/Device claims information.
- Audit Group Membership - client computer checks user's group membership
- 4627(S): Group membership information.
- Audit IPsec Extended Mode - Internet Key Exchange protocol (IKE) Extended Mode negotiation
- 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4979: IPsec Main Mode and Extended Mode security associations were established.
- 4980: IPsec Main Mode and Extended Mode security associations were established.
- 4981: IPsec Main Mode and Extended Mode security associations were established.
- 4982: IPsec Main Mode and Extended Mode security associations were established.
- 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- Audit IPsec Main Mode - Internet Key Exchange protocol (IKE) Main Mode negotiation
- 4646: Security ID: %1
- 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
- 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
- 4652: An IPsec Main Mode negotiation failed.
- 4653: An IPsec Main Mode negotiation failed.
- 4655: An IPsec Main Mode security association ended.
- 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 5049: An IPsec Security Association was deleted.
- 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
- Audit IPsec Quick Mode - Internet Key Exchange protocol (IKE) Quick Mode negotiation
- 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 5451: An IPsec Quick Mode security association was established.
- 5452: An IPsec Quick Mode security association ended.
- Audit Network Policy Server - RADIUS and NAP
- 6272: Network Policy Server granted access to a user.
- 6273: Network Policy Server denied access to a user.
- 6274: Network Policy Server discarded the request for a user.
- 6275: Network Policy Server discarded the accounting request for a user.
- 6276: Network Policy Server quarantined a user.
- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
- 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
- 6280: Network Policy Server unlocked the user account.
It is clear that there are a large number of events. Microsoft states that many of them are good to monitor from a security perspective. On the other hand, some are noted as not being used. If we want to select only specific events, it would be necessary to understand the authentication process in detail and what is recorded when. A pretty good description is in the older articles Chapter 4 Account Logon Events and Chapter 5 Logon/Logoff Events. The official documentation of individual events Advanced security audit policy settings contains a lot of information.
Login of a Privileged Account
If we want to monitor the successful login of a specific user (regardless of whether it is interactive, network, or via RDP), according to the documentation, it should be enough to monitor the Success event
The event content contains a number of interesting pieces of information. The value Logon Type determines the login method, most often 2 - Interactive, 3 - Network, 10 - RemoteInteractive. Because we want to monitor only certain users, we filter records for the occurrence of the name in the Account Name field. Again, we can parse only certain information and possibly add (e.g., the Logon Type variable). Example:
Apr 27 10:41:12 pdc.firma.local 4624 MSWinEventLog 1 Security 20 Fri Apr 27 10:41:10 2018 4624 Microsoft-Windows-Security- Auditing Unknown User N/A Success Audit pdc.firma.local 12544 An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: PDC$ Account Domain: FIRMA Logon ID: 0x3e7 Logon Type: 3 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2200562112-386782066-159442334-1262 Account Name: bouska Account Domain: FIRMA Logon ID: 0x11d70df Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c Process Name: C:WindowsSystem32winlogon.exe Network Information: Workstation Name: PDC Source Network Address: 10.0.0.10 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. Apr 27 10:41:12 pdc.firma.local 4624 An account was successfully logged on. Logon Type: 3 [Network] Account Name: bouska Process Name: C:WindowsSystem32winlogon.exe Workstation Name: PDC Source Network Address: 10.0.0.10
Unsuccessful Login Attempt
To record unsuccessful login attempts (for various reasons), we have several events, but it should be enough to monitor the following Failure events
For NTLM, one event is logged, and the Error Code contains the reason for the error. Often a non-existent username (0xC0000064) or incorrect password (0xC000006A).
The parsed result may look as follows:
Jun 5 11:01:26 | implementation NTLM Unknown User | pdc.firma.local 4776 The computer attempted to validate the credentials for an account. Logon Account: implementation Source Workstation: SERVER Error Code: 0xc0000064 [Unknown User]
For Kerberos, two events are generated, and the Result Code shows why the authentication failed. For example, user not found in DB, unsupported encryption, expired password, etc.
- 4768(S, F): A Kerberos authentication ticket (TGT) was requested - most often an attempt to log in with a non-existent account (Result Code 0x6) or expired password (Result Code 0x17)
- 4771(F): Kerberos pre-authentication failed - most often incorrect password (Result Code 0x18)
The parsed result may look as follows:
Jun 5 11:10:26 | bouska Kerberos Bad Password | pdc.firma.local 4771 Kerberos pre-authentication failed. Account Name: bouska Service Name: krbtgt/FIRMA Client Address: ::ffff:10.0.0.10 Failure Code: 0x18 [Bad Password]
For some events, when the user logs on to the computer, the following event is also logged. Logon Type contains the login method, and Failure Reason contains the textual reason for the error (not sent to syslog), and Status contains the error code. Often a locked account (0xc0000234) or incorrect username or password (0xc000006d).
The parsed result may look as follows:
Jun 4 12:13:05 | bouska Logon Session Locked | pdc.firma.local 4625 An account failed to log on. Account Name: bouska Status: 0xc0000234 Sub Status: 0x0 [Locked] Workstation Name: PDC Source Network Address: 10.0.0.10
If we use NPS - RADIUS server, we can also monitor the event when NPS denies login
The parsed result may look as follows:
Jun 5 11:15:59 | bouska RADIUS | pdc.firma.local 6273 Network Policy Server denied access to a user. Account Name: bouska Called Station Identifier: 80-e8-0f-d9-70-00:WiFi Calling Station Identifier: f0-00-9d-00-42-b8 Address: 192.168.0.2 Identifier: WLC
Other Events
There are many other things that can be monitored. For example, the security auditing category Object Access allows us to monitor access to files and directories, registries, removable media, and more. In general, we can send all Error events from the Application and System logs, and possibly others.
Pěkný článek Díky