Audit Account Logon vs Audit Logon/Logoff
Over the past several years I’ve been explaining the diffence between these two audit polices. One is for logon/logoff events the other (Account Logon) is for authentication events. In the past few months I have had several people ask me to put together a blog entry covering these 2 audit polices. But I’ve found it rather painfull to put into a blog. Then a few weeks ago I found out that my employeer (Prism Microsystems) was hosting a webinar with Randy F. Smith and I was going to also be presenting. Well the webinar went smoothly today and so I have decided that instead of me doing a long lengthly blog entry I would just post a link to the recorded webinar. Enjoy and I hope you are able to gain more insight into these 2 Audit Policies.
More Info on Tracking Down File Deletes
Quite awhile ago I wrote a blog entry on Tracking Down File Deletes, it continues to be one of my most read blogs. I came across another blog entry that does a good job of explaining the same thing. The author is Ned Pyle, in his post he covers not only the Windows 2003 but also the Windows 2008 auditing so I thought I would share it with you.
Monitoring Network Shares
I had a discussion today with a customer who was trying to monitor when their users tried to access network shares and failed. He had all the correct accesses setup, removed “Everyone” and gave access to only those groups that needed access. He even turned on the correct Object Access auditing, but his problem was that when anyone outside the correct groups tried to access the folder they got the message that ” \\<server name>\<share> was not accessable. You might not have permission … ” but the Audit Failure 560 events (his server is W2k3) were not being generated.
This is something that I’ve seen quite often, the issue comes from the Share Permissions that have been set. Because he removed the Everyone group from the Share Permission the Audit Failure events for 560 (Object Access Auditing) were not being generated.
So if you need to be able to track when unauthorized users are attempting to access shares for which they do not have access, leave the Everyone group with Read permission under the Share Permissions tab on the folder (as seen in the screen shot below).
Now on the Security tab make sure that you turn on the correct Object Access auditing (stay away from FULL CONTROL; you will flood yourself with noise events). Now since in this example we want to track when people fail to open the network share, goto the Security tab, then click on the Advanced button, then the Auditing tab. Click the add button and set this auditing for Everyone and check Traverse Folder and List Folder boxes under the Failed column.
Now when users attempt to open this network share event id 560 Audit Failure event will be generated telling you who, what, when. Now the from where is not going to be listed in the 560 event but can be tracked down by looking at the Client Logon ID hex code listed in the event description.
Looking at the Object Name will tell you what file/folder the user was trying to access. If the Image File Name is blank then you know they were attempting to access the resource from the network, if this field has a value then they used the program listed to access the resource locally. Client User Name will tell you who the user was if they accessed remotely (if they are accessesing locally then look at the Primary User Name). The Client Logon ID (or Primary Logon ID) will help you link back to the logon event (528 or 540 in the case of W2k3 and older OS). Looking at the Accesses list we can see the ReadData/ListDirectory which is what we are auditing for.
Analyzing ID 537 and the Status Codes
When looking through the logs have you ever come across that generic login failure event id 537? Doesn’t really give you much at first glance, 90% of the time the user name in description field is blank. This event comes in 2 forms, the workstation version and the DC version.
First I’m going to show the workstation version followed by the DC version.
As seen in the security log from Wrkstation1:
Event Type: Failure Audit
Event Source: Security
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: Wrkstation1
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
As seen in the security log on DC1:
Event Type: Failure Audit
Event Source: Security
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.144
Source Port: 0
When you get the information from the DC you will be able to track down the system that generated the logon failure either by the Source Network Address or by the Workstation Name in the description field. The part of this event that holds any real data is the status code (and thank you Microsoft for using HEX codes instead of plain English).
Most of the time you will beat your head against a wall trying to figure out what in the world these codes mean.
Well stop looking I have found a MSDN reference to the NTSTATUS codes.
Now in the above 2 examples the Status code: 0xC000006D means that “The attempted logon is invalid. This is either due to a bad username or authentication information.” Since we already know this look at the Substatus code: 0xC0000133 which means “The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount.” Now the “too large an amount” refers to 5 minutes. Check the system time on the DC where the event happened and check the workstation (Source Network Address).
Hope this helps.
Password Never Expires and Account Set to Expire
Recently I was asked, “What type of user account changes do you watch for?” There are several but I wanted to focus on 2 changes that most people ask for. 1 “How can I tell if someone’s password has been set to never expire?” and 2nd “How can I tell if an account has been set to expire?”. We will look at both the Windows 2003 and older Windows OS event (id 642) and the Windows 2008/Vista event (id 4738). Sure there are scripts that you can run against your AD and Local System accounts to gather this information. But if you have the correct auditing turned on (Audit Account Mgmt) you can get this information via the event logs and if you are collecting your logs using a log management tool you can get this info in real time. I’m not going to show the entire event descriptions for id’s 642 and 4738, but I will show the sections that are important to us. What’s nice about both of these events is that they appear whenever an account has been changed; this can be at the time of account creation or after an account is created.
For id 642 you need to look at the following:
Target Account Name: joe.user (User whose account was changed)
Target Domain: Acme (Users domain ; can also indicate local account)
Caller User Name: bob.admin (Admin who made the change)
For id 4738 look at the following:
Subject:
Account Name: bob.admin (Admin who made the change)
Target Account:
Account Name: joe.user (User whose account was changed)
Account Domain: Acme (Users domain; can also indicate local account)
This information holds true for any change to the account either local or one that is part of your AD. The next information will tell you What changed on the account. So for question 1, password set to never expire you need to watch for the following.
For id 642 and 4738:
Changed Attributes:
User Account Control:
‘Don’t Expire Password’ – Enabled (Box has been checked for password to never expire)
Now when you reverse the change and uncheck the password never expires box you will see ‘Don’t Expire Password’ – Disabled
Now for question 2, determine when an account has been set to expire.
For id 642 and 4738:
Changed Attributes:
Account Expires: x/xx/xxxx xx:xx:xx PM (This gives you the Date/Time that the account will expire)
If an account is setup to never expire then the Account Expires will have a dash (-) after it.
Webinar hosted by Whitehatworld
The other day I conducted a webinar that was hosted by Whitehatworld.com. I have been asked by several people if I would post a link to the recording, so click here to view the webinar. The webinar topic was “Security Beyond the Windows Event Log – Monitoring Ten Critical Conditions”.
Windows Logon Types
I have received several requests asking what the different Logon Types are for the different Windows Login/Account Login (528,538,540,672,4624,4634,4768) Events. These can be found all over the place on Microsoft’s website and others but instead of putting the links I thought I would just put the chart here.
| Logon Type | Logon Title | Description |
| 2 | Interactive | A user logged on to this computer |
| 3 | Network | A user or computer logged on to this computer from the network |
| 4 | Batch | Used by batch processes that may be executing on behalf of a user without their direct intervention |
| 5 | Service | Service started |
| 7 | Unlock | This workstation was unlocked |
| 8 | NetworkClearText | A user logged on to this computer from the network using credentials using clear text. Could indicate a logon to IIS with basic authentication. |
| 9 | NewCredentials | New Credentials |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Windows 2008 and Vista Events
Big thanks to Eric Fitzgerald for posting some good info about the W2k8 and Vista events.
He put 2 great links in his latest blog, first is to Microsoft KB article with the W2k8 and Vista event events; found here. The second on is for the same info but in Excel format, found here.
Auditing Drive Mappings
Windows does not track drive mappings for auditing out of the box.
To audit drive mappings you will need to do the following steps:
1. Turn on Object Access Auditing via Group Policy on the system(s) in question
You will need to perform the following steps on each system that you want to track the drive mappings
2. Open the registry and drill down to HKEY_CURRENT_USER\Network
3. Right click on Network and choose Permissions (if you click on the plus sign you will see each of your mapped drive listed)
4. Click on the Advanced button
5. Click on the Auditing tab then click on the Add button
6. In the Select User or Group box type in Everyone
7. This will open the Auditing dialog box
8. Select the settings that you want to audit for; stay away from the Full Control option and Read Control. I recommend the following settings: Create Subkey, Create Link and Delete.
Windows will now generate event id 560, 567 and 564 when the drive mappings are added or deleted. 564 will be generated when a mapping is deleted, 567 will be created when a mapping is deleted or added and 560 will be generated both times as well. Event ID’s 567 and 564 will not give you the full information that you are looking for, they will tell you what was done to the mappings but not WHICH mapping. To determine which mapping you will need the Handle ID code that will be found in the event description on the 564/567 events. The Handle ID will allow you to track back to the 560 event which will give you the mapping that is being added/deleted. Event ID 567 will only be generated on Windows XP or Windows 2003 systems, Windows 2000 will not generate 567.
Security Log Resource
This week has been a busy one for me. I have had several web training sessions and 2 onsite training sessions with customers this week. A question came up during one of onsites this week and I thought I would share it. The question was where did I get all my knowledge about the Windows Event Log and the various Event ID’s.
The answer is a simple 2 part answer. Part 1 –> Repetition, repetition, repetition. I have been analyizing event logs for more than 3 years now and before that I was a Sys Admin. Looking at the events day in and day you tend to get them stuck in your head. Part 2 –> Resources such as the information that I’ve learned from reading Randy F. Smith’s book and reviewing his course documentation and visiting his web site: www.ultimatewindowssecurity.com. I have put a link to a new feature on Randy’s site, WinSecWiki, under my Blogrolls. I also attend his webinars to get more info. Randy has good insite to the Security log. I have also had several conversations with Randy.
From time to time I will contribute to Randy’s Wiki, I will be posting under my first name on his site.
If anyone has any questions about Windows Events or the Windows Audit Policy feel free to ask.
-
Archives
- October 2009 (1)
- September 2009 (1)
- August 2009 (1)
- May 2009 (3)
- April 2009 (1)
- March 2009 (2)
- February 2009 (4)
- September 2008 (1)
- August 2008 (1)
- June 2008 (1)
- May 2008 (1)
- April 2008 (1)
-
Categories
-
RSS
Entries RSS
Comments RSS
