Event Log Managment

Event Log Managment

Monitoring Network Shares

I had a discussion today with a customer who was trying to monitor when their users tried to access network shares and failed.  He had all the correct accesses setup, removed “Everyone” and gave access to only those groups that needed access.  He even turned on the correct Object Access auditing, but his problem was that when anyone outside the correct groups tried to access the folder they got the message that ”  \\<server name>\<share> was not accessable.  You might not have permission … ” but the Audit Failure 560 events (his server is W2k3) were not being generated. 

This is something that I’ve seen quite often, the issue comes from the  Share Permissions that have been set.  Because he removed the Everyone group from the Share Permission the Audit Failure events for 560 (Object Access Auditing) were not being generated. 

So if you need to be able to track when unauthorized users are attempting to access shares for which they do not have access, leave the Everyone group with Read permission under the Share Permissions tab on the folder (as seen in the screen shot below). 

Share Permission

 

Now on the Security tab make sure that you turn on the correct Object Access auditing  (stay away from FULL CONTROL; you will flood yourself with noise events).  Now since in this example we want to track when people fail to open the network share, goto the Security tab, then click on the Advanced button, then the Auditing tab.  Click the add button and set this auditing for Everyone and check Traverse Folder and List Folder boxes under the Failed column.

Audit Settings

Now when users attempt to open this network share event id 560 Audit Failure event will be generated telling you who, what, when.  Now the from where is not going to be listed in the 560 event but can be tracked down by looking at the Client Logon ID hex code listed in the event description.

Looking at the Object Name will tell you what file/folder the user was trying to access.  If the Image File Name is blank then you know they were attempting to access the resource from the network, if this field has a value then they used the program listed to access the resource locally.  Client User Name will tell you who the user was if they accessed remotely (if they are accessesing locally then look at the Primary User Name).  The Client Logon ID (or Primary Logon ID) will help you link back to the logon event (528 or 540 in the case of W2k3 and older OS).  Looking at the Accesses list we can see the ReadData/ListDirectory which is what we are auditing for.

560 Failure

May 20, 2009 Posted by ithompson | Audting, Event Log, Object Access | , , , , | No Comments Yet

Detecting Insider Threats

Over the last few weeks I have been putting together a whitepaper on detecting insider threats (on a Windows network).  The paper is finished and is available here.  In the next few days I will be setting up a webinar that will cover this topic watch www.prismmicrosys.com for a link to the webinar.

April 29, 2009 Posted by ithompson | Audting, Hacking, Log Management | , | No Comments Yet

Webinar hosted by Whitehatworld

The other day I conducted a webinar that was hosted by Whitehatworld.com.  I have been asked by several people if I would post a link to the recording, so click here to view the webinar.  The webinar topic was “Security Beyond the Windows Event Log – Monitoring Ten Critical Conditions”.

February 11, 2009 Posted by ithompson | Audting, Event Log | , , , , , | No Comments Yet

Why you should disable accounts

Why do companies in this day and age continue to leave employee’s system accounts active after the employee has turned in their resignation? Even if they have comp/vacation time coming disable their accounts.   If an employee turns in their resignation then their account should be disabled right then.

Here is an article from computerworld.com that says it all.  Former Intel engineer charged with stealing trade secrets”.

Yet another reason to make sure that you have a Log Management solution in place and that you have the correct auditing turned on.  

Something that all us admins need to get in the habit of doing is to review the reports DAILY that your Log Management solution is providing.

September 16, 2008 Posted by ithompson | Audting | , , , | No Comments Yet

Data Leakage with USB Devices

If you think that your users would never steal any data from the company then take a look at these 3 articles.  Each of these show just how careless users can be with USB devices, 2 of these I’m sure were not done to harm anyone, but 1 of these definitely was. 

Records loss may violate U.S. law
‘Total files’ of patients, many with HIV and AIDS, missing

“A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.”

http://www.chron.com/disp/story.mpl/metropolitan/5931497.html

++++++++++++++++++++++++++

Report: Korean Execs Stole $1.8B in Trade Secrets

“Company leaders allegedly defected to rival company with 900 documents loaded onto USB drives”

http://www.darkreading.com/document.asp?doc_id=139010

+++++++++++++++++++++++++++

Nuclear Lab Breach Could Be ‘Devastating’
CBS News Exclusive: Data Found In Drug Raid Contains Weapons-Design Secrets

http://www.cbsnews.com/stories/2006/11/03/national/main2151021.shtml

Security lab may face $3.3m fine for data leak
“Classified files, computer storage devices found in trailer-park drug raid”

http://www.msnbc.msn.com/id/19752730/

++++++++++++++++++++++++++++

Added: 8/21/08 

Yet another story about missing data via USB devices, this one from the UK.

Data on 130,000 criminals lost.

http://www.telegraph.co.uk/news/newstopics/politics/2601056/Data-on-130000-criminals-lost.html

++++++++++++++++++++++++++++

Added 8/21/08  Another case of someone trying to do harm.

At Countrywide, One Overlooked PC Led to Loss of 2M Records

http://www.darkreading.com/document.asp?doc_id=161548&f_src=drweekly

++++++++++++++++++++++++++++

As Admins we need to be able to track down who is using USB storage devices and what they are doing.  EventTracker not only gathers your Event Logs (Windows and Syslog) but can also track when USB storage devices are used and what users copy/modify or delete from them.  (www.prismmicrosys.com)

August 14, 2008 Posted by ithompson | Audit Policy, Audting, USB Devices | , , | No Comments Yet

Windows Logon Types

I have received several requests asking what the different Logon Types are for the different Windows Login/Account Login (528,538,540,672,4624,4634,4768) Events.  These can be found all over the place on Microsoft’s website and others but instead of putting the links I thought I would just put the chart here. 

 

Logon Type Logon Title Description
2 Interactive A user logged on to this computer
3 Network A user or computer logged on to this computer from the network
4 Batch Used by batch processes that may be executing on behalf of a user without their direct intervention
5 Service Service started
7 Unlock This workstation was unlocked
8 NetworkClearText A user logged on to this computer from the network using credentials using clear text.  Could indicate a logon to IIS with basic authentication.
9 NewCredentials New Credentials
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer.  The domain controller was not contacted to verify the credentials.

 

June 6, 2008 Posted by ithompson | Audting, Event Log | | No Comments Yet

Windows 2008 and Vista Events

Big thanks to Eric Fitzgerald for posting some good info about the W2k8 and Vista events.

He put 2 great links in his latest blog, first is to Microsoft KB article with the W2k8 and Vista event events; found here.  The second on is for the same info but in Excel format, found here.

April 17, 2008 Posted by ithompson | Audting, Event Log, Log Management | , , , | No Comments Yet

Auditing Drive Mappings

Windows does not track drive mappings for auditing out of the box. 

To audit drive mappings you will need to do the following steps:

1.       Turn on Object Access Auditing via Group Policy on the system(s) in question

You will need to perform the following steps on each system that you want to track the drive mappings

2.       Open the registry and drill down to HKEY_CURRENT_USER\Network

3.       Right click on Network and choose Permissions  (if you click on the plus sign you will see each of your mapped drive listed)

4.       Click on the Advanced button

5.       Click on the Auditing tab then click on the Add button

6.       In the Select User or Group box type in Everyone

7.       This will open the Auditing dialog box

8.       Select the settings that you want to audit for; stay away from the Full Control option and Read Control.  I recommend the following settings: Create Subkey, Create Link and Delete.

Windows will now generate event id 560, 567 and 564 when the drive mappings are added or deleted.  564 will be generated when a mapping is deleted, 567 will be created when a mapping is deleted or added and 560 will be generated both times as well.  Event ID’s 567 and 564 will not give you the full information that you are looking for, they will tell you what was done to the mappings but not WHICH mapping.  To determine which mapping you will need the Handle ID code that will be found in the event description on the 564/567 events.  The Handle ID will allow you to track back to the 560 event which will give you the mapping that is being added/deleted.  Event ID 567 will only be generated on Windows XP or Windows 2003 systems, Windows 2000 will not generate 567.

March 13, 2008 Posted by ithompson | Audit Policy, Audting, Event Log, Object Access | , , | No Comments Yet

« Previous Entries