Event Log Managment

Event Log Managment

Tracking RDP Logons

Earlier this week a customer asked me the following question:

We came across a scenario where one of our sessions that we need to track events on, recorded only 683 events (rdp logoff) but zero 682 events (rdp logon).

I put together a detailed email explaining to him why/what was really happening and thought it would be good to share.

I want to clarify event id 682 for you, it’s not a RDP Logon event, it’s a Session Reconnected event.  That’s why you see 683 events without any 682 events.

 If you want to track when someone logs onto a system via RDP you need to look for event id 528 with a logon type of 10.

 So here is what you can expect to see in the logs (all of these events are in the Security log on the system SERVER1):

 At 9:22 am Isaac remotes into Server1:

Event ID: 528

 Successful Logon:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505AC69)
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: SERVER1
  Logon GUID: {f9c49597-2dcc-19cb-32cb-89a0e776ec9c}
  Caller User Name: SERVER1$
  Caller Domain: XXXXXXXX
  Caller Logon ID: (0×0,0×3E7)
  Caller Process ID: 2380
  Transited Services: -
  Source Network Address: xxx.xxx.xxx.145
  Source Port: 18573

 Then at 9:42:06 am Isaac clicks the “X” in the upper corner of the RDP session (does not logout, but disconnects)

Event ID: 683

 Session disconnected from winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505AC69)
  Session Name: RDP-Tcp#1
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 9:42:37 am Isaac re-connects to the RDP session on Server1

Event ID: 682

 Session reconnected to winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505AC69)
  Session Name: RDP-Tcp#2
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 11:56 am Isaac logs off the RDP session

Event ID: 551

 User initiated logoff:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505ac69)

 Now let’s analyze how we tie all these together.  The 1st event the 528 tells us how the connection was established, Logon Type: 10 (highlighted in yellow) which is a RemoteInteractive (aka RDP or Terminal Session) (for other logon types see this list).  This event also confirms that the RDP session was done to a system called Server1 (noted in the Workstation Name line), it also tells us from which system the RDP session was done xxx.xxx.xxx.145 (the Source Network Address line).  We also get the Logon ID which is a HEX code (highlighted in blue).  This Logon ID allows us to connect all of the activity that Isaac does while the RDP session is active (with the right auditing turned on), we can track what files/folders were touched, what processes were launched, etc.  It also allows us to tell if he disconnects (683) or logs off (551) the RDP session.  If he disconnects we can then also track when he reconnects (682).

Hope this helps.

December 1, 2009 Posted by ithompson | Audit Logon/Logoff, Log Management | , , | No Comments Yet

Directory Services Auditing

I’ve been asked by a customer to take a look at their level of Directory Services Auditing.  I’m not able to share their screen shots but can scrub an email that I sent to them and post it here.

When it comes to Directory Services Auditing I always tell people less is more, if you already understand what the other audit policies give you then you can get 85% to 90% of what you need from those.  There are somethings that you will have to get via Directory Services Auditing there’s just no getting around it.  But just as with the case of Object Access be very carefull what you turn on or you will flood yourself with junk noise events.  The major pain is that all events generated by Directory Services use the same event id no matter what action you are doing and are very cryptic.

Here is the email:

“ As we talked about on the phone today there is a lot of auditing turned on where Microsoft hasn’t given very much information about what it generates and even some that are currently not used.  Example: Intellimirror-Group is used by remote boot legacy for managing groups of server machines and is currently not used.   Based on the screen shot you sent me I can see that the objects are currently being monitored which are generating a lot of noise events for you.  You might be better suited to audit the properties instead of the objects.  Example, if you want to know when a user has been given access to someone else’s inbox you need to monitor for changes to the property: msExchMailboxSecurityDescriptor; or if you want to know who made a GPO change then you need to monitor for changes to the properties: gpLink and gPOptions.  Most of the information that you can find via MSDN in regards to these audit objects is related to developers and not what the audit trail will give you.  Keep in mind that Microsoft considers the Directory Services auditing a low level audit, so the events that are generated are pretty cryptic in nature and all use the same event id. 

 There are a few of the objects that you would want to monitor to help get a more full picture of what is happening such as: Computer, User, OU, Shares, Group objects.  Monitoring these will give you things such as what OU a user was created in, where the Account Mgmt auditing does not give you this.  Also Account Mgmt auditing does not give you OU auditing (as again Microsoft considers this to be a low level object).

 In most companies it’s easy to turn on Auditing but very difficult to get it turned off and this is where Admins get themselves and others into a painful spot.  How to prove what is not needed when Microsoft doesn’t document what the auditing does or doesn’t do.

 Other examples:

msSFU30MailAliases – represents UNIX mail file data

nisMap – contains the generic abstraction of an NIS map

oncRpc – represents an abstraction of the Open Network Computing (ONC) Remote Procedure Call (RPC) binding

msRTCSIP-EdgeProxy – this attribute is reserved for future use

msRTCSIP-TrustedWebComponentsServerData – this attribute is reserved for future use”

Here are a few of the links where I pulled this data from:

http://msdn.microsoft.com/en-us/library/ms680938(VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms985886(EXCHG.65).aspx

http://technet.microsoft.com/en-us/library/bb663647.aspx

November 23, 2009 Posted by ithompson | Directory Services, Log Management | , | No Comments Yet

Micorsoft Patch Research Site

I was watching a Randy F. Smith webinar today and he showed a section of his website that he uses to track the Microsoft patches.  So I thought this would be good information to share.

September 16, 2009 Posted by ithompson | Microsoft Patches | | No Comments Yet

More Info on Tracking Down File Deletes

Quite awhile ago I wrote a blog entry on Tracking Down File Deletes, it continues to be one of my most read blogs.  I came across another blog entry that does a good job of explaining the same thing.  The author is Ned Pyle, in his post he covers not only the Windows 2003 but also the Windows 2008 auditing so I thought I would share it with you.

August 5, 2009 Posted by ithompson | Audit Policy, Event Log, File Deletes, Log Management, Object Access | , , , , , | No Comments Yet

Recommended Windows 2008 Audit Policy

Randy F. Smith has a good resource for the Windows 2008 Audit Policy.

May 27, 2009 Posted by ithompson | Audit Policy, Windows 2008 | | No Comments Yet

IIS status code

Here is a link to some good information about the IIS status / sub-status codes for IIS 5 and 6.

Chris Crowe’s blog on IIS.

May 21, 2009 Posted by ithompson | IIS, Log Management | , | No Comments Yet

Monitoring Network Shares

I had a discussion today with a customer who was trying to monitor when their users tried to access network shares and failed.  He had all the correct accesses setup, removed “Everyone” and gave access to only those groups that needed access.  He even turned on the correct Object Access auditing, but his problem was that when anyone outside the correct groups tried to access the folder they got the message that ”  \\<server name>\<share> was not accessable.  You might not have permission … ” but the Audit Failure 560 events (his server is W2k3) were not being generated. 

This is something that I’ve seen quite often, the issue comes from the  Share Permissions that have been set.  Because he removed the Everyone group from the Share Permission the Audit Failure events for 560 (Object Access Auditing) were not being generated. 

So if you need to be able to track when unauthorized users are attempting to access shares for which they do not have access, leave the Everyone group with Read permission under the Share Permissions tab on the folder (as seen in the screen shot below). 

Share Permission

 

Now on the Security tab make sure that you turn on the correct Object Access auditing  (stay away from FULL CONTROL; you will flood yourself with noise events).  Now since in this example we want to track when people fail to open the network share, goto the Security tab, then click on the Advanced button, then the Auditing tab.  Click the add button and set this auditing for Everyone and check Traverse Folder and List Folder boxes under the Failed column.

Audit Settings

Now when users attempt to open this network share event id 560 Audit Failure event will be generated telling you who, what, when.  Now the from where is not going to be listed in the 560 event but can be tracked down by looking at the Client Logon ID hex code listed in the event description.

Looking at the Object Name will tell you what file/folder the user was trying to access.  If the Image File Name is blank then you know they were attempting to access the resource from the network, if this field has a value then they used the program listed to access the resource locally.  Client User Name will tell you who the user was if they accessed remotely (if they are accessesing locally then look at the Primary User Name).  The Client Logon ID (or Primary Logon ID) will help you link back to the logon event (528 or 540 in the case of W2k3 and older OS).  Looking at the Accesses list we can see the ReadData/ListDirectory which is what we are auditing for.

560 Failure

May 20, 2009 Posted by ithompson | Audting, Event Log, Object Access | , , , , | No Comments Yet

Detecting Insider Threats

Over the last few weeks I have been putting together a whitepaper on detecting insider threats (on a Windows network).  The paper is finished and is available here.  In the next few days I will be setting up a webinar that will cover this topic watch www.prismmicrosys.com for a link to the webinar.

April 29, 2009 Posted by ithompson | Audting, Hacking, Log Management | , | No Comments Yet

Tips on Tracking Down a Hack Attempt

On Tuesday March 17, 2009 I conducted a webinar for Prism Microsystems on how Log Management can help you track down a hack attempt.  Now I know there are multiple ways to hack a network, the purpose of this webinar was to show that if you are collecting the log data from ALL your sources, network equipment/Unix/Linux/Windows that you can track down these attempts very quickly.  Log Management can also help you become more proactive vs always being reactive.  Here is a link to the recorded version of the webinar, here is a link for the slides used in the webinar.

March 20, 2009 Posted by ithompson | Hacking, Log Management | , | No Comments Yet