Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Transcription

1 Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005 Revision 1.3: Cleaned up resources and added additional detail into each auditing table. Revision 1.4: Added Kerberos Authentication Information and troubleshooting. Revision 1.5: Added documentation on NT rights and privileges and examples for securing systems. Revision 1.6: Will add security of services, registry file system along with examples using subinacl.exe and security templates. Revision 1.7: Will add security of active directory using delegation of control wizard, and using dscacls.exe. References: (1) Microsoft Windows 2000 Security Operations Guide. (2) Microsoft Windows 2000 Security Resource Kit (3) Microsoft Windows 2000 Server (RK)Distributed Systems Guide. (4) Microsoft Windows 2000 Server Administrators Companion. (5) NSA Guide to Securing Windows 2000 Server. (6) Troubleshooting Kerberos Errors ( March 2004) (7) Microsoft KB Article ( Common Kerberos Related Errors) (8) MIT Kerberos 5 Protocol Constraints and Values protocol/krb5.constants (9) ITEF RFC 1510 ( Kerberos v5) (10) Kerberos Authentication Tools and Settings: brary/techref/b36b8071-3cc5-46fa-be13-280aa43f2fd2.mspx (11) The Security Monitoring and Attack Prevention Planning Guide ( Microsoft Corporation) (12) Windows 2003 Resource Kit Guide ( Microsoft Corporation) (13) Mastering Windows 2003 ( Mark Miansi) (14) Windows 2003 Administrators Companion. (Microsoft Corporation) (15) The Services and Services Account Security Planning Guide ( Microsoft Corporation)

2 Account Logon events: A domain controller received a request to validate a user account. ) Will be enabled on all Windows 2000 DC s for success and failure) Account Management: An administrator, created, changed or deleted a user account or group. A user account was renamed, disabled or enabled, or a password was set or changed. Directory Services Access: A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. Logon Events: A user logs on to or logs off the Windows 2000 computer. Object Access: A user gained access to a file, folder or printer. You must configure specific files, folders, or printers for auditing. Directory service access is auditing a user s access to specific Active Directory objects. Object access is auditing a user s access to files, folders and printers. Policy Change: A change was made to the user security options, user rights, or audit policies. Privilege use: A user exercised a right, such as changing the system time. (This does not include rights that are related to logging on and logging off.) Process Tracking: A program performed an action. This information is generally useful only for programmers who want to track details of program execution. System: A user restarted or shutdown the computer, or an event occurred that affects Windows 2000 Security or the security log. Events that appear in the Security Event Log and their Descriptions: ( From Microsoft Operations Security Guide, page ) Security Event Descriptions for Windows 2000 are detailed in Microsoft Kbase Articles: Windows 2000 Security Event Descriptions (Part 1 of 2) Windows 2000 Security Event Descriptions (Part 2 of 2) Utilize EVENT COMB MT.exe to parse out event logs from multiple computers. Table 3.1: Common Logon Events that Appear in the Security Event Log Event ID Description 528 A user successfully logged on to a computer. Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name. 529 The logon attempt was made with an unknown username or a known username with a bad password. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. Check for attempts where Target Account Name equals Administrator and Domain Name is unknown or Target account Name equals root. 530 The user account tried to log on outside of the allowed time. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. Logon time restrictions can only be configured for domain accounts. However, for non-domain accounts, it is still possible to configure logon time restrictions programmatically. 531 A logon attempt was made using a disabled account. Parameters: User name,

3 domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 532 A logon attempt was made using an expired account. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 533 The user is not allowed to logon at this computer. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 534 The user attempted to log on with a logon type that is not allowed, such as network, interactive, batch, service or remote interactive. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. ( See Note 1 for known logon types) Check the Target Account Name, Workstation Name, and logon type. 535 The password for the specified account has expired. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 536 The Net Logon Service is not active. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. The Net Logon service is needed for domain-style logon attempts or logon attempts to an account that does not exist on the workstation at which the logon attempt is occurring. 537 The logon attempt failed for other reasons. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made, one or two status codes indicating why the logon failed. In some cases, the reason for the logon failure might not be known. To find the individual status codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text editor such as Notepad. ( You can use err.exe to review the codes inside winerr.h and ntstatus.h) 538 The user logged off. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. The logoff message can be caused by any type of logoff attempt. 539 The account was locked out at the time logon attempt was made. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made. This event can indicate that password attack was launched unsuccessfully resulting in the account being locked out. 540 Successful Network Logon. Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name. This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. 541 Main Mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (established a security association), or quick mode has established a data channel. Parameters: Mode (main or quick), the IP address and name of the other host involved in the authentication, a filter specifying source and destination addresses (address can be either specific IP, IP subnet, or all computers), an encryption algorithm, hashing algorithm, and timeout for the security

4 association. 542 A data channel was terminated. Parameters: Mode (main or quick), a filter indicating a subnet, a particular host, or all computers, the inbound Service Parameters Index (SPI) or local host, the outbound SPI (the other peer in the connection). Note Data transfer mode is the same as quick mode (QM). 543 Main mode was terminated. Parameters: A filter indicating a subnet, a particular host, or all computers. This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, peer termination, and so on. 544 Main mode authentication failed because the peer did not provide a valid certificate or signature was not validated. Parameters: Peer identity (the other host involved in the authentication), a filter indicating a subnet, a particular host, or all computers. 545 Main mode authentication failed because of Kerberos failure or a password that is not valid. Parameters: Peer identity (the other host involved in the authentication), filter indicating a subnet, a particular host, or all computers. 546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a subnet, a particular host, or all computers), incorrect attribute, expected value, received value. 547 A failure occurred during an IKE handshake. Parameters: Mode (indicates when the failure occurred), a filter indicating a subnet, particular host, or all computers, the point of failure, and the reason for the failure. 548 The security ID (SID) from a trusted domain does not match the home domain SID of the client. Parameters: User name, domain name, logon type, logon process, authentication package, workstation name, impersonated domain. 549 All Sid s were filtered out during a cross-forest authentication. Parameters: User name, domain name, logon type, logon process, authentication package, workstation name. During cross-forest authentication, all Sid s corresponding to untrusted namespaces are filtered out. This event is triggered when this filtering action removes all Sid s. 550 Indicates a possible denial of service attack. Parameters: No parameters, other than the above text describing the beginning or ending of a denial-of-service attack. This event message is generated when IKE has a large number of pending requests to establish security associations and is beginning denial-of-service prevention mode. This might be normal if caused by high computer loads or a large number of client connection attempts. It also might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack, there are usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise, the computer is only extremely heavily loaded. 600 Process was assigned a primary token. This event occurs when a service uses a named account to log on to a computer that runs Windows XP or later. Correlate with event ID s 672, 673, 528, NT Authority/Anonymous is trying to attempt a password change. ( Could be unauthenticated password changes, via a Win9x user) 682 A user has reconnected to a disconnected Terminal Services Session. This event indicates that a previous Terminal Services Session was connected to. 683 A user disconnected a Terminal Services session without logging off. This event is

5 generated when a user is connected to a Terminal Services Session over the network. It appears on the terminal server. (See Note 2 for Information on Terminal Services Setup) Notes: 1) The common logon types are the following. a) Logon Type (2): Console logon interactive from the computer console b) Logon Type (3): Network logon network mapping (net use/net view) c) Logon Type (4): Batch logon scheduler d) Logon Type (5): Service logon service uses an account e) Logon Type (6): Proxy Logon f) Logon Type (7): Unlock Workstation g) Logon Type (8): NetworkClearText ( Reserved for cleartext Logons over the network) h) Logon Type (9): NewCredentials (Initated by using runas command with the /netonly ) i) Logon Type (10): Remote Interactive (Recorded for Terminal Service Logons) j) Logon Type (11): Cached Interactive (Recorded when cached credentials are used to logon locally to a computer) 2) Terminal Services is installed in Remote Administration mode, along with this access to the Terminal Services RDP connection is audited and the servers do not allow disconnected sessions. If a session becomes disconnected, the session will reset. This is the most secure environment. The following security events can be diagnosed using logon events entries: Local Logon Attempt Failures: Event ID s 529,530,531,532,534,537. Account Misuse: Event ID s 530,531,532,533 Account Lockouts: Event ID 539, but also look for previous Event ID 529 s with same account. Terminal Services attacks: Event ID 683, 682. Service Account Misuse: Event ID 528 with a Login type of (2) (Console) or 10 (Terminal Services) Table 3.2 Common Account Logon Events that Appear in the Security Event Log Event ID Description 672 An authentication Service (AS) ticket was successfully issued and validated. Parameters: User name of client, domain name of client, SID of client, SID of service, ticket options, failure code, ticket encryption type, preauthentication type (such as PK_INIT), client IP address. This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes place. One AS ticket is granted per logon session. 673 A ticket granting Service ( TGS) ticket was granted. Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address. This event occurs on the KDC and means that a user presented an AS ticket and was given a TGS ticket for some service. 674 A security principal renewed an AS ticket or TGS Ticket. Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address. This event occurs on the KDC and is currently only caused by non-windows-based clients because Windows-based clients do not renew tickets, but reacquire them instead. This event occurs on the KDC user name of the client. 675 Pre-Authentication Failed. Parameters: User name of client, SID of client, user name of service, preauthentication type, failure code, client IP address. This event message is generated on the KDC for reasons such as the user typing in a wrong password, a large difference between the clock time on the client and the KDC, or a smart card logon error. 676 Authentication Ticket request Failed. 677 A TGS Ticket was not granted. Parameters: User name of client, SID of client, user

6 name of service, SID of service, preauthentication type, failure code, client IP address. This audit occurs on the KDC. 678 An account was successfully mapped to a domain account. Parameters: Source, client name, mapped name. An account mapping is a map of a user authenticated in an MIT Kerberos realm to a domain account. 680 Identifies the account used for the successful logon attempt. This event also indicates the authentication package used to authenticate the account. 681 A domain account log on was attempted. Parameters: Logon attempt by, logon account, source workstation, error code, if relevant. This audit appears on the domain controller or wherever the account exists. The following error codes are possible: Unknown user name or bad password (1326) Account logon time restriction violation (1328) Account currently disabled (1331) The specified user account has expired (1793) User not allowed to log on at this computer (1329) The user has not been granted the requested logon type at this computer (1327) The specified account's password has expired (1330) The Net Logon service is not active (1792) In each of these events, descriptive text gives detailed information about each specific logon attempt. Also, on Windows XP Professional you can enable success and failure auditing of the Account Logon category of events, which enables the following events: Authentication ticket granted Service ticket granted Ticket renewed Preauthentication failed Authentication ticket request failed Service ticket request failed Account mapped for logon Account could not be mapped for logging on Account used for logging on 682 A user has reconnected to a disconnected terminal services session. 683 A user disconnected a Terminal Services session without logging off. Table Event ID 681 Failure Reason Codes (See Article Q326985) Decimal Value Hexadecimal Value Reason C User Logged on with a misspelled or bad user account C The name provided is not a properly formed account name C A required privilege is not held by the client C000006A User Logged on with a misspelled or bad password C000006C Password is not correct, When trying to update a password, this status indicates that some password update rule has been violated C000006F User Logged on outside authorized hours C User Logged on from unauthorized workstation C User Logged on with an expired password C User Logged on to an account disabled by the

7 administrator C User Logged on with an expired account C User Logged on with Change Password at Next Logon Flagged C User Logged on with the account Locked Table Event 675 and 676 Kerberos Authentication Error Codes (Also look at Q230476) Error Code Description/Cause 0x6 The username doesn t exist 0X12 Workstation restriction; logon time restriction; account disabled, expired or locked out. 0x17 The user s password has expired. 0x18 The username is correct, but the password is wrong (Very common when looking at event ID 675) 0x25 The workstation s clock is too far out of synchronization with the DC s clock. The following security events can be diagnosed using account logon event entries. Domain logon attempt failures: Event ID s 675,677 Time Synchronization issues: Event ID 675 ( Time synch more than 5 mins off from DC, use net time /querysntp to view current time server. Use w32tm v once to debug the time-sync process. Terminal Services Attacks: Event ID 683, 682 Table 3.3 Common Account Management Events that appear in Security Event Log Event ID Description 624 User Account Created: Parameters: Name of new user account, domain of new user account, SID string of new user account, user name of subject creating the user account, domain name of subject creating the user account, logon ID string of subject creating the user account, privileges used to create the user account. Only authorized personnel and or processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines. 625 User Account Type Change 626 User Account Enabled 627 Password Change Attempted. Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. Compare Primary Account Name, to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name, does not equal Target Account name, someone other than the account owner tried to change the password. On computers that run Windows ME, Win98X, 95x or Windows NT, it s common to see Anonymous as the account that requests the change. This is because the user might not have been authenticated. However, the requestor had to supply the old password, so this is not a significant security risk. 628 User Account Password Set: Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. Records when a user or process resets an account password through an administrative interface such as Active Directory Users and Computers, rather than through a password change process. Only authorized people or processes within your organizational structure should carry out these processes, they entities should be the helpdesk, or information systems personnel, or a user self-service password reset processes. 629 User Account Disabled

8 630 User Account Deleted: Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject deleting the user account, domain name of subject deleting the user account, logon ID string of subject deleting the user account. 631 Security Enabled Global Group Created: Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account. 632 Security Enabled Global Group Member Added: Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 633 Security Enabled Global Group Member Removed: Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 634 Security Enabled Global Group Deleted: Parameters: Name of the global group account, domain of the global group account, SID string of the global group account, user name of subject deleting the global group, domain name of subject deleting the global group, logon ID string of subject deleting the global group. 635 Security Disabled Local Group Created: Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account. 636 Security Enabled Local Group Member Added: Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 637 Security Enabled Local Group Member Removed: Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 638 Security Enabled Local Group Deleted: Parameters: Name of group account being deleted, domain of the group account, SID string of group account, user name of subject deleting the account, domain name of subject deleting the account, logon ID string of subject deleting the account. 639 Security Enabled Local Group Changed: Parameters: Name of group account being changed, domain of group account, SID string of group account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 641 Security Enabled Global Group Changed: Parameters: Name of group account being changed, domain of group account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 642 User Account Changed: Parameters: Name of user account, domain of user account, SID string of user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. 643 Domain Policy Changed: Parameters: Domain policy that was modified, domain name, domain ID, caller user name, caller domain, caller logon ID, privileges used. 644 User Account Locked Out: Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. When an account is locked out, two events will be logged at the PDC Emulator. A 644 event will occur, indicating that the account name was locked

9 out. Then a 642 event will be recorded, indicating that the user account is now locked out. This event is only logged at the PDC emulator. 645 A computer account was created: Parameters: Name of new computer account, domain of new computer account, SID string of new computer account, user name of subject creating the computer account, domain name of subject creating the computer account, logon ID string of subject creating the computer account, privileges used to create the computer account. 646 A computer account was changed: Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject changing the computer account, domain name of subject changing the computer account, logon ID string of subject changing the computer account, privileges used to change the computer account. 647 A computer account was deleted. Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject deleting the computer account, domain name of subject deleting the computer account, logon ID string of subject deleting the computer account, privileges used to delete the computer account. 648 A local security group with security disabled was created. Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account, privileges used to create the account. 649 A local security group with security disabled was changed. Parameters: Name of group account, domain of group account, SID string of group account, user name of subject modifying the account, domain name of subject modifying the account, logon ID string of subject modifying the account, privileges used to modify the account. 650 A member was added to a security-disabled local security group: Parameters: SID string of member being added, name of security-disabled local security group account, domain of security group account, SID string of security-disabled local security group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the securitydisabled local security group, logon ID string of subject changing the membership of the security-disabled local security group. 651 A member was removed from a security-disabled local security group. Parameters: SID string of member being removed, name of security-disabled local security group account, domain of security-disabled security group account, SID string of local security group account, user name of subject changing the membership of the securitydisabled local security group, domain name of subject changing the membership of the security-disabled local security group, logon ID string of subject changing the membership of the security-disabled local security group. 652 A security-disabled local group was deleted. Parameters: Name of the securitydisabled local group, domain of security-disabled local group, SID string of securitydisabled local group, user name of subject deleting the security-disabled local group, domain name of subject deleting the security-disabled local group, logon ID string of subject deleting the security-disabled local group. 653 A security-disabled global group was created. Parameters: Name of new securitydisabled global group, domain of new security-disabled global group, SID string of new security-disabled global group, user name of subject creating the security-disabled global group, domain name of subject creating the security-disabled global group, logon ID string of subject creating the security-disabled global group. 654 A security-disabled global group was changed. Parameters: Name of securitydisabled global group, domain of security-disabled global group, SID string of securitydisabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group. 655 A member was added to a security-disabled global group. Parameters: SID string of

10 member being added, name of security-disabled global group, domain of securitydisabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the securitydisabled global group. 656 A member was removed from a security-disabled global group. Parameters: SID string of member being removed, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group. 657 A security-disabled global group was deleted. Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject deleting the security-disabled global group, domain name of subject deleting the security-disabled global group, logon ID string of subject deleting the security-disabled global group. 658 A security-enabled universal group was created. Parameters: Name of new group account, domain of new security-enabled universal group, SID string of new securityenabled universal group, user name of subject creating the security-enabled universal group, domain name of subject creating the security-enabled universal group, logon ID string of subject creating the security-enabled universal group. 659 A security-enabled universal group was changed. Parameters: Name of target security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the securityenabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group. 660 A member was added to a security-enabled universal group. Parameters: SID string of member being added, name of security-enabled universal group, domain of securityenabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group. 661 A member was removed from a security-enabled universal group. Parameters: SID string of member being removed, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group. 662 A security-enabled universal group was deleted. Parameters: Name of target account, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject deleting the security-enabled universal group, domain name of subject deleting the security-enabled universal group, logon ID string of subject deleting the security-enabled universal group. 663 A security-disabled universal group was created. Parameters: Name of new securitydisabled universal group, domain of new security-disabled universal group, SID string of new security-disabled universal group, user name of subject creating the securitydisabled universal group, domain name of subject creating the security-disabled universal group, logon ID string of subject creating the security-disabled universal group. 664 A security-disabled universal group was changed. Parameters: Name of securitydisabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.

11 665 A member was added to a security-disabled universal group. Parameters: SID string of member being added, name of security-disabled universal group, domain of securitydisabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group. 666 A member was removed from a security-disabled universal group. Parameters: SID string of member being removed, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group. 667 A security-disabled universal group was deleted. Parameters: Name of target account, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject deleting the security-disabled universal group, domain name of subject deleting the security-disabled universal group, logon ID string of subject deleting the security-disabled universal group. 668 A group type was changed. Parameters: Nature of group type change, name of group being changed, domain of group being changed, SID string of group being changed, user name of subject changing the group type, domain name of subject changing the group type, logon ID string of subject changing the group type. 684 Set the security descriptor of members of administrative groups. Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. 685 A name of an account was changed. Parameters: Name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. The following security events can be diagnosed using security log entries: Creation of a user account: Event ID 624, 626 identify when accounts are created, and enabled. User account password changed: The modification of a password by someone other than the user can indicate that an account has been taken over by another user. Look for Event ID s 627, 628 which indicate that a password change is attempted and successful. User account status changed: An attacker may attempt to cover their tracks by disabling or deleting the account used during an attack. All occurrences of Event ID s 629 and 630 should be investigated to ensure that these are authorized transactions. Modification of Security Groups: Membership changes to Domain Admins, Administrators, and of the operator groups, or custom global, universal or domain local groups that are delegated admin functions should be reviewed. For global groups membership modifications, review Event ID 632 and 633. For domain local group membership changes look for Event ID 636, 637. Account Lockout: When an account is locked out, two events will be logged at the PDC emulator operations master. A 644 event will indicate that the account name was locked out and then a 642 event is recorded, indicating that the user account is changed to indicate that the account is now locked out. Security Enabled Global Group Changes: Look for Event ID s Examine these events for groups that have global or broad access privileges, along with the members put into these groups ( Domain Admins for example). Reviewing these events will give you the assurance that no changes outside the organizations policy for user account management is taking place, and if violations do occur they can be

12 quickly documented and reported to CISO, ISO, Management for further review. The group name that was changed is the Target Account Name field of the event. Security Enabled Local Group Changes: Look for Event ID s Examine these events for groups such as Administrators, Server Operators and Backup Operators to ensure that no changes take place outside organizational policy. If changes are made that do not comply, these events will provide proof of the user that violated the policy and should be reported to CISO, ISO, and Management for further review. The group name that was changed is the Target Account Name field of the event. The group name that was changed is the Target Account Name field of the event. Security Enabled Group Changes: Look for Event ID s 639,641,668. These events indicate other changes to a group besides deletion, creation, or membership changes. You should examine these events for groups that have high privilege levels within your organization, and ensure all changes are authorized. Again if you find unauthorized changes, report them to your CISO, ISO, and Management for further review. The group name that was changed is the Target Account Name field of the event. Security Enabled Universal Group Changes: Look for EventID s Examine for groups that have high privilege levels, such as Enterprise Admins or Schema Admins, to ensure that no changes takes place outside policy constraints. The group name that was changed is the Target Account Name field of the event. Table 3.4 Common Object Access Events Event ID Description 560 Access was granted to an already existing object. Parameters: Object server, object type, object name, handle ID, operation ID, process ID, image file name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, access privileges, restricted SID count. Check the Primary Logon ID, Client User Name, and Primary User Name fields to detect unauthorized attempts to change file permissions. Check the Accesses field to identify the operation type. The acting user is the Client User ( If present) otherwise it s the Primary User. 561 A handle to an object was allocated. 562 A handle to an object was closed. Parameters: Object server, handle ID, process ID, image file name. 563 An attempt was made to open an object with the intent to delete it. Parameters: Object server, object type, object name, handle ID, operation ID, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges. 564 A protected object was deleted. Parameters: Object server, handle ID, process ID. 565 Access was granted to an already existing object type. Parameters: Object server, object type, object name, handle ID, operation ID, process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges, properties. 566 A generic object operation took place. Parameters: Operation type, object type, object name, handle ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, properties. 567 A permission associated with a handle used. Parameters: Name of the object being accessed, object server, handle ID, object type, process ID, access mask. ( This event occurs on the first instance of an access type (list, read, create, etc etc) to an object. To correlate with event 560, compare the Handle ID fields of the two events. 568 An attempt was made to create a hard link to a file that is being audited. Parameters: Primary user name, primary domain, primary logon ID, object name, link name.

13 The following security events can be diagnosed by using security log entries. Object failure auditing: All systems should have failure object access auditing for files, folders, and will show event ID 560 when triggered. The event ID will be recorded in the security event log and will detail the file access prohibited, to whom it was prohibited, the date, time of the attempted access and what access was requested. Table 3.5 Common Policy Change Events Event ID Description 608 A user right was assigned 609 A user right was removed 610 A trust relationship with another domain was created. 611 A trust relationship with another domain was removed. 612 An audit policy was changed. 613 An IPSEC Policy agent was started. Parameters: Policy Source. 614 An IPSEC Policy Agent was disabled: Parameters: Policy source. 615 An IPSEC Policy Agent changed. Parameters: Policy Source. 616 An IPSEC Policy Agent encountered a potentially serious failure. Parameters: Policy Source. 617 A Kerberos Policy changed: Parameters: Changed By (User name, domain Name, logon ID) 618 Encrypted Data Recovery Policy Changed: Parameters: Changed By ( User name, Domain Name, logon ID) 620 A trust relationship with another domain was modified: Parameters: Trusted domain information modified (domain name, domain ID), modified by (user name, domain name, logon ID), trust type, trust direction, trust attributes. 621 System Access was granted to an account: Parameters: Access Granted, account modified, assigned by (Username, domain name, and logon ID) System access permissions can be the following: Interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive. 622 System Access was removed from an account: Parameters: Access removed, account modified, assigned by (user name, domain name, and logon ID) System access permissions are the same as listed in event ID Security Policy was changed or refreshed ( _ in the changes made field means that no changes were made during the refresh.) 768 A collision was detected between a namespace element in one forest and a namespace element in another forest. Parameters: Target type, target name, forest root, top level name, DNS name, NetBIOS name, SID, new flags. When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each namespace element. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for a "TopLevelName" namespace element. 769 Trusted Forest Information was added: Parameters: Forest Root, Forest Root SID, Operation ID, Entry Type, Flags, Top Level Name, DNS Name, Netbios Name, Domain SID, added by client user name, client domain, client logon ID. This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for an entry of type "TopLevelName".

14 770 Trusted Forest information was deleted: Parameters: Forest Root, Forest Root SID, Operation ID, Entry type, flags, top level name, DNS Name, Netbios name, Domain SID, deleted by client user name, client domain, client logon ID. This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for an entry of type "TopLevelName". 771 Trust Forest Information was modified: Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID. This event message is generated when forest trust information is updated and one or more entries are modified. One event message is generated per modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName". Note: Use of the auditpol.exe utility will allow you to change the policy settings on systems via the command-line if desired. Although it is best practice that a uniform policy is applied to all similarly configured systems ( member servers, DC s, Web-servers, SQL Servers) The following security events can be diagnosed by using security log entries. Unauthorized Policy Changes: Event ID s 608, 609 will show if a number of attacks have been attempted. Most deal with elevation of user rights as denoted below: ( can use Ntrights.exe from the resource kit to manipulate the user rights on any system in the domain. ) Act as part of the operating system: Look for Event ID 608 and 609 with user right SeTcbPrivilege in the event details. Add workstations to the domain: Look for Event ID s 608, 609 with the user right SeMachineAccountPrivilege. Back up Files and Directories: Look for Event ID s 608,609 with user right SeBackupPrivilege in the event details. Bypass Traverse checking: Look for events with user right SeChangeNotifyPrivilege in the event details. Change the system time: Look for events with user right SeSystemtimePrivilege in the event details. Create Permanent shared objects: Look for events with the user right SeCreatePernamentPrivilege in the event details. Debug programs: Look for events with user right SeDebugPrivilege in the event details. Force Shutdown from a remote system: Look for events with user right SeRemoteShutdownPrivilege in the event details. Increase scheduling priority: Look for events with user right SeIncreaseBasePriorityPrivilege in the event details.

15 Load and unload device drivers: Look for events with user right SeLoadDriverPrivilege in the event details. Manage Auditing and Security log: Look for events with user right SeSecurityPrivilege in the event details. A user with this right can view and clear the security log. ( Should be extremely restricted) Replace a process level token: Look for events with user right SeAssignPrimaryTokenPrivilege in the event details. Restore Files and directories: Look for events with user right SeRestorePrivilege in the event details. Shutdown down the system: Look for events with user right SeShutdownPrivilege in the event details. Take ownership of files or other objects: Look for events with user right SeTakeOwnerShipPrivilege in the event details. ( * extremely restricted right) Table 3.6 Common Privilege Use Events EVENT ID DESCRIPTION 576 Specified privileges were added to a user s access token. ( Event is generated when a user logs on.) Parameters: Special privileges assigned to the new user (SeChangeNotifyPrivilege, SeAuditPrivilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege), user name, domain, logon ID, privileges. 577 A user attempted to perform a privileged system service operation. Parameters: Privileged service called, server, service, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges. 578 Privileges were used on an already open handle to a protected object. Parameters: Privileged object operation, object server, object handle, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges. The following security events can be diagnosed by using security log entries. Look for event ID 577 for the following User rights to determine if changes from your baseline are being attempted. 1) SeMachineAccountPrivilege 2) SeSystemTimePrivilege 3) SeBackupPrivilege 4) SeRemoteShutdownPrivilege 5) SeDebugPrivilege 6) SeLoadDriverPrivilege 7) SeSecurityPrivilege 8) SeAssignPrimaryTokenPrivilege 9) SeRestorePrivilege 10) SeShutdownPrivilege 11) SeTakeOwnerShipPrivilege. Table 3.7 Common Process Tracking Events Event Id Description 592 A new process was created. Parameters: New process ID, image file name, creator process ID, user name, domain logon ID. 593 A process exited. Parameters: Process ID, image file name, user name, domain name,

16 logon ID. 594 A handle to an object was duplicated. Parameters: Source handle ID, source process ID, target handle ID, target process ID. 595 Indirect access to an object was obtained. Parameters: Object type, object name, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses. 596 A data protection master key was backed up. Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifies the key on the domain controller that was used to encrypt the master key), failure reason. The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created (the default is 90 days). The key is usually backed up to a domain controller. 597 A data protection master key was recovered from a recovery server. Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifying the key on the domain controller used to encrypt the master key), failure reason. 598 Auditable data was protected. Parameters: Data description, key ID (the master key GUID), protected data flags (CRYPTPROTECT_AUDIT, which indicates that the audit should be generated or CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason. 599 Auditable data was unprotected. Parameters: Data description, key ID, protected data flags (including CRYPTPROTECT_AUDIT, which indicates that the audit should be generated, and CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason. Note: Tracking Processes will cause a large amount of audit log entries and cause adverse effects to your systems, use this sparingly. Table 3.8 Common System Events Event Id Description 512 Windows is starting up. 513 Windows is shutting down. 514 An authentication package was loaded by the Local Security Authority (LSA). Parameters: Authentication package name. 515 A trusted logon process has registered with the LSA. Parameters: Logon process name. 516 Internal Resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages. Parameters: Number of audit messages discarded. You need to adjust the amount of auditing you are doing, looking for auditing on processes success turned on. 517 The security log was cleared. Parameters: Primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID. Is this a valid clearing of the security log? Or is it a rogue admin trying to cover his tracks A notification package was loaded by the Security Accounts Manager (SAM). Parameter: Notification package name. 519 A process is an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address. Parameters: Process ID, type of invalid use (either impersonation or reply), server port name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID. 520 System time was changed. Parameters: Process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID,

17 previous time, new time. The following security events can be diagnosed by using security log entries. Computer Shutdown/Restart: Event ID 513 shows Windows shutting down. Tracking this along with the successful SeShutdownPrivlege, SeRemoteShutdownPrivilege will determine when and whom shutdown your systems. Modifying or Clearing of the Security Log: An attacker will try to modify the security logs, or disable auditing during an attack or clear the event log to prevent detection. If you notice large blocks of time with no entries in the security log look for event ID 612 and 517 to determine which user modified the security policy. Kerberos Errors and troubleshooting: First must ensure that the PC or system can connect to the following ports: UDP/TCP port 53 for DNS. UDP/TCP port 88 for KDC TGS. UDP/TCP port 123 For Time Service. TCP port 464 for Microsoft Kerberos change password protocol. TO view these errors you must set the following key on the Domain Controller and reboot. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Type: REG_DWORD Value Date: 0x1 Quit the registry editor and reboot the system. Utilities used to troubleshooting the issues are the following: Klist.exe ( Windows 2000, 2003 resource tools) Kerbtray (Windows 2000, 2003 resource tools) Kerberos Errors will show up with event ID 4, 594.!"# $ $ &" 0!1"! 0!1" ##06 - ' ' !% () *% )+) 34* +4!%34* )!% ()*" ),-.$ 1*34* 4 1%34* -% * *

18 **#* :*+ )* +): 8+ #8*+ ) )* 8)9) * 9+4)+..! ##06 - = =!%8) )+*) 1)).! %**. **%*.*!*8!%*!! 8+: )<%* ##0 16#A6 B B ) * This error occurs if duplica exist. Unique principal nam ensuring mutual authentica or LDIFDE utility and dire Troubleshooting Kerberos steps to remove SPN. 600C D D 1*%) 4 )%).**) 1!11 1*4:8 : 1**)8* 81*4 ():*43 18))-. :* :8*41 #*)8+,6-'$+*++ ""0# 0#C & 1# ()+ + * $ *;*() ' ***++ () 1*+) 8*. -'$+)8+ 1*+) *8* E+.*8 6**)8: * * 81F1

19 1C!6 2!61C! C!6 7 11C!6 = 0#1" ) 8 * ) 8 **4)+ ) 8 ) 8 $ B *% %4 '/ 1!,!%*.** :* :HC 8+.4* *: +*,* + )! / *+ )**).: %*.* :E+ : 1..) $/ 6# 6 + ) *4.*3) $/*+:8+ -.$'3 )**) ::: 19%*.*% * *+ ))* ++6# :. *4!+0: *8** 8. (),"8 %8**8 :)</ By default, the address fie and realm, the list of transit initial authentication, the ex authorization data of the ne be copied from the ticket-g or renewable ticket. If the t be updated, but the transite supported, the KDC_ERR_ error is returned. 1).4 **)9:+ + ):)

20 !"#" ' D 8%% %4 9 9*4 8% %4 1F1" 2 $ 1F1%4 11*4F:1*4 0#1 1C1!"# 1C1 C # 61?E#0 61?A6# 5 $ 7 $$ = $' B $2 D $5 %I: %9:!%%I:!%%9:. I *:. J)*8+.% J)* () 1? 11 K!)1)E) ) &)**4+ ) 18**) *#1* J)*. &!A+:#8 (),8)/9-1)**) *: *+.* * + * *:)*:.!"6"#0&0 K!116! 0 F!"! "8!) ** **+* & &#1F#1C &11 # &11C" &1 8 ' #:**4* 88 $'$ 1*4 $'' 1*4% $$'2 () 1)*. +: )** +:,!+ $D& 1+ %)8 8)*4 4. *4.)+ :. )*48+% F) *;* 1*4 %, *) * -'$+8) % 1* )*.) * *% *)8&.4