Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005 Revision 1.3: Cleaned up resources and added additional detail into each auditing table. Revision 1.4: Added Kerberos Authentication Information and troubleshooting. Revision 1.5: Added documentation on NT rights and privileges and examples for securing systems. Revision 1.6: Will add security of services, registry file system along with examples using subinacl.exe and security templates. Revision 1.7: Will add security of active directory using delegation of control wizard, and using dscacls.exe. References: (1) Microsoft Windows 2000 Security Operations Guide. (2) Microsoft Windows 2000 Security Resource Kit (3) Microsoft Windows 2000 Server (RK)Distributed Systems Guide. (4) Microsoft Windows 2000 Server Administrators Companion. (5) NSA Guide to Securing Windows 2000 Server. (6) Troubleshooting Kerberos Errors ( March 2004) (7) Microsoft KB Article 230476 ( Common Kerberos Related Errors) (8) MIT Kerberos 5 Protocol Constraints and Values http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5- protocol/krb5.constants (9) ITEF RFC 1510 ( Kerberos v5) (10) Kerberos Authentication Tools and Settings: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/li brary/techref/b36b8071-3cc5-46fa-be13-280aa43f2fd2.mspx (11) The Security Monitoring and Attack Prevention Planning Guide ( Microsoft Corporation) (12) Windows 2003 Resource Kit Guide ( Microsoft Corporation) (13) Mastering Windows 2003 ( Mark Miansi) (14) Windows 2003 Administrators Companion. (Microsoft Corporation) (15) The Services and Services Account Security Planning Guide ( Microsoft Corporation)

Account Logon events: A domain controller received a request to validate a user account. ) Will be enabled on all Windows 2000 DC s for success and failure) Account Management: An administrator, created, changed or deleted a user account or group. A user account was renamed, disabled or enabled, or a password was set or changed. Directory Services Access: A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. Logon Events: A user logs on to or logs off the Windows 2000 computer. Object Access: A user gained access to a file, folder or printer. You must configure specific files, folders, or printers for auditing. Directory service access is auditing a user s access to specific Active Directory objects. Object access is auditing a user s access to files, folders and printers. Policy Change: A change was made to the user security options, user rights, or audit policies. Privilege use: A user exercised a right, such as changing the system time. (This does not include rights that are related to logging on and logging off.) Process Tracking: A program performed an action. This information is generally useful only for programmers who want to track details of program execution. System: A user restarted or shutdown the computer, or an event occurred that affects Windows 2000 Security or the security log. Events that appear in the Security Event Log and their Descriptions: ( From Microsoft Operations Security Guide, page 104-115) Security Event Descriptions for Windows 2000 are detailed in Microsoft Kbase Articles: 299475 Windows 2000 Security Event Descriptions (Part 1 of 2) 301677 Windows 2000 Security Event Descriptions (Part 2 of 2) Utilize EVENT COMB MT.exe to parse out event logs from multiple computers. Table 3.1: Common Logon Events that Appear in the Security Event Log Event ID Description 528 A user successfully logged on to a computer. Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name. 529 The logon attempt was made with an unknown username or a known username with a bad password. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. Check for attempts where Target Account Name equals Administrator and Domain Name is unknown or Target account Name equals root. 530 The user account tried to log on outside of the allowed time. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. Logon time restrictions can only be configured for domain accounts. However, for non-domain accounts, it is still possible to configure logon time restrictions programmatically. 531 A logon attempt was made using a disabled account. Parameters: User name,

domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 532 A logon attempt was made using an expired account. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 533 The user is not allowed to logon at this computer. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 534 The user attempted to log on with a logon type that is not allowed, such as network, interactive, batch, service or remote interactive. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. ( See Note 1 for known logon types) Check the Target Account Name, Workstation Name, and logon type. 535 The password for the specified account has expired. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. 536 The Net Logon Service is not active. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. The Net Logon service is needed for domain-style logon attempts or logon attempts to an account that does not exist on the workstation at which the logon attempt is occurring. 537 The logon attempt failed for other reasons. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made, one or two status codes indicating why the logon failed. In some cases, the reason for the logon failure might not be known. To find the individual status codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text editor such as Notepad. ( You can use err.exe to review the codes inside winerr.h and ntstatus.h) 538 The user logged off. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made. The logoff message can be caused by any type of logoff attempt. 539 The account was locked out at the time logon attempt was made. Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made. This event can indicate that password attack was launched unsuccessfully resulting in the account being locked out. 540 Successful Network Logon. Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name. This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. 541 Main Mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (established a security association), or quick mode has established a data channel. Parameters: Mode (main or quick), the IP address and name of the other host involved in the authentication, a filter specifying source and destination addresses (address can be either specific IP, IP subnet, or all computers), an encryption algorithm, hashing algorithm, and timeout for the security

association. 542 A data channel was terminated. Parameters: Mode (main or quick), a filter indicating a subnet, a particular host, or all computers, the inbound Service Parameters Index (SPI) or local host, the outbound SPI (the other peer in the connection). Note Data transfer mode is the same as quick mode (QM). 543 Main mode was terminated. Parameters: A filter indicating a subnet, a particular host, or all computers. This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, peer termination, and so on. 544 Main mode authentication failed because the peer did not provide a valid certificate or signature was not validated. Parameters: Peer identity (the other host involved in the authentication), a filter indicating a subnet, a particular host, or all computers. 545 Main mode authentication failed because of Kerberos failure or a password that is not valid. Parameters: Peer identity (the other host involved in the authentication), filter indicating a subnet, a particular host, or all computers. 546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a subnet, a particular host, or all computers), incorrect attribute, expected value, received value. 547 A failure occurred during an IKE handshake. Parameters: Mode (indicates when the failure occurred), a filter indicating a subnet, particular host, or all computers, the point of failure, and the reason for the failure. 548 The security ID (SID) from a trusted domain does not match the home domain SID of the client. Parameters: User name, domain name, logon type, logon process, authentication package, workstation name, impersonated domain. 549 All Sid s were filtered out during a cross-forest authentication. Parameters: User name, domain name, logon type, logon process, authentication package, workstation name. During cross-forest authentication, all Sid s corresponding to untrusted namespaces are filtered out. This event is triggered when this filtering action removes all Sid s. 550 Indicates a possible denial of service attack. Parameters: No parameters, other than the above text describing the beginning or ending of a denial-of-service attack. This event message is generated when IKE has a large number of pending requests to establish security associations and is beginning denial-of-service prevention mode. This might be normal if caused by high computer loads or a large number of client connection attempts. It also might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack, there are usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise, the computer is only extremely heavily loaded. 600 Process was assigned a primary token. This event occurs when a service uses a named account to log on to a computer that runs Windows XP or later. Correlate with event ID s 672, 673, 528, 592. 627 NT Authority/Anonymous is trying to attempt a password change. ( Could be unauthenticated password changes, via a Win9x user) 682 A user has reconnected to a disconnected Terminal Services Session. This event indicates that a previous Terminal Services Session was connected to. 683 A user disconnected a Terminal Services session without logging off. This event is

generated when a user is connected to a Terminal Services Session over the network. It appears on the terminal server. (See Note 2 for Information on Terminal Services Setup) Notes: 1) The common logon types are the following. a) Logon Type (2): Console logon interactive from the computer console b) Logon Type (3): Network logon network mapping (net use/net view) c) Logon Type (4): Batch logon scheduler d) Logon Type (5): Service logon service uses an account e) Logon Type (6): Proxy Logon f) Logon Type (7): Unlock Workstation g) Logon Type (8): NetworkClearText ( Reserved for cleartext Logons over the network) h) Logon Type (9): NewCredentials (Initated by using runas command with the /netonly ) i) Logon Type (10): Remote Interactive (Recorded for Terminal Service Logons) j) Logon Type (11): Cached Interactive (Recorded when cached credentials are used to logon locally to a computer) 2) Terminal Services is installed in Remote Administration mode, along with this access to the Terminal Services RDP connection is audited and the servers do not allow disconnected sessions. If a session becomes disconnected, the session will reset. This is the most secure environment. The following security events can be diagnosed using logon events entries: Local Logon Attempt Failures: Event ID s 529,530,531,532,534,537. Account Misuse: Event ID s 530,531,532,533 Account Lockouts: Event ID 539, but also look for previous Event ID 529 s with same account. Terminal Services attacks: Event ID 683, 682. Service Account Misuse: Event ID 528 with a Login type of (2) (Console) or 10 (Terminal Services) Table 3.2 Common Account Logon Events that Appear in the Security Event Log Event ID Description 672 An authentication Service (AS) ticket was successfully issued and validated. Parameters: User name of client, domain name of client, SID of client, SID of service, ticket options, failure code, ticket encryption type, preauthentication type (such as PK_INIT), client IP address. This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes place. One AS ticket is granted per logon session. 673 A ticket granting Service ( TGS) ticket was granted. Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address. This event occurs on the KDC and means that a user presented an AS ticket and was given a TGS ticket for some service. 674 A security principal renewed an AS ticket or TGS Ticket. Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address. This event occurs on the KDC and is currently only caused by non-windows-based clients because Windows-based clients do not renew tickets, but reacquire them instead. This event occurs on the KDC user name of the client. 675 Pre-Authentication Failed. Parameters: User name of client, SID of client, user name of service, preauthentication type, failure code, client IP address. This event message is generated on the KDC for reasons such as the user typing in a wrong password, a large difference between the clock time on the client and the KDC, or a smart card logon error. 676 Authentication Ticket request Failed. 677 A TGS Ticket was not granted. Parameters: User name of client, SID of client, user

name of service, SID of service, preauthentication type, failure code, client IP address. This audit occurs on the KDC. 678 An account was successfully mapped to a domain account. Parameters: Source, client name, mapped name. An account mapping is a map of a user authenticated in an MIT Kerberos realm to a domain account. 680 Identifies the account used for the successful logon attempt. This event also indicates the authentication package used to authenticate the account. 681 A domain account log on was attempted. Parameters: Logon attempt by, logon account, source workstation, error code, if relevant. This audit appears on the domain controller or wherever the account exists. The following error codes are possible: Unknown user name or bad password (1326) Account logon time restriction violation (1328) Account currently disabled (1331) The specified user account has expired (1793) User not allowed to log on at this computer (1329) The user has not been granted the requested logon type at this computer (1327) The specified account's password has expired (1330) The Net Logon service is not active (1792) In each of these events, descriptive text gives detailed information about each specific logon attempt. Also, on Windows XP Professional you can enable success and failure auditing of the Account Logon category of events, which enables the following events: Authentication ticket granted Service ticket granted Ticket renewed Preauthentication failed Authentication ticket request failed Service ticket request failed Account mapped for logon Account could not be mapped for logging on Account used for logging on 682 A user has reconnected to a disconnected terminal services session. 683 A user disconnected a Terminal Services session without logging off. Table 3.2.1 Event ID 681 Failure Reason Codes (See Article Q326985) Decimal Value Hexadecimal Value Reason 3221225572 C0000064 User Logged on with a misspelled or bad user account. 3221225570 C0000062 The name provided is not a properly formed account name. 3221225569 C0000061 A required privilege is not held by the client. 3221225578 C000006A User Logged on with a misspelled or bad password. 3221225580 C000006C Password is not correct, When trying to update a password, this status indicates that some password update rule has been violated. 3221225583 C000006F User Logged on outside authorized hours 3221225584 C0000070 User Logged on from unauthorized workstation 3221225585 C0000071 User Logged on with an expired password 3221225586 C0000072 User Logged on to an account disabled by the

administrator. 3221225875 C0000193 User Logged on with an expired account 3221226020 C0000224 User Logged on with Change Password at Next Logon Flagged. 3221226036 C0000234 User Logged on with the account Locked Table 3.2.2 Event 675 and 676 Kerberos Authentication Error Codes (Also look at Q230476) Error Code Description/Cause 0x6 The username doesn t exist 0X12 Workstation restriction; logon time restriction; account disabled, expired or locked out. 0x17 The user s password has expired. 0x18 The username is correct, but the password is wrong (Very common when looking at event ID 675) 0x25 The workstation s clock is too far out of synchronization with the DC s clock. The following security events can be diagnosed using account logon event entries. Domain logon attempt failures: Event ID s 675,677 Time Synchronization issues: Event ID 675 ( Time synch more than 5 mins off from DC, use net time /querysntp to view current time server. Use w32tm v once to debug the time-sync process. Terminal Services Attacks: Event ID 683, 682 Table 3.3 Common Account Management Events that appear in Security Event Log Event ID Description 624 User Account Created: Parameters: Name of new user account, domain of new user account, SID string of new user account, user name of subject creating the user account, domain name of subject creating the user account, logon ID string of subject creating the user account, privileges used to create the user account. Only authorized personnel and or processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines. 625 User Account Type Change 626 User Account Enabled 627 Password Change Attempted. Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. Compare Primary Account Name, to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name, does not equal Target Account name, someone other than the account owner tried to change the password. On computers that run Windows ME, Win98X, 95x or Windows NT, it s common to see Anonymous as the account that requests the change. This is because the user might not have been authenticated. However, the requestor had to supply the old password, so this is not a significant security risk. 628 User Account Password Set: Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. Records when a user or process resets an account password through an administrative interface such as Active Directory Users and Computers, rather than through a password change process. Only authorized people or processes within your organizational structure should carry out these processes, they entities should be the helpdesk, or information systems personnel, or a user self-service password reset processes. 629 User Account Disabled

630 User Account Deleted: Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject deleting the user account, domain name of subject deleting the user account, logon ID string of subject deleting the user account. 631 Security Enabled Global Group Created: Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account. 632 Security Enabled Global Group Member Added: Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 633 Security Enabled Global Group Member Removed: Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 634 Security Enabled Global Group Deleted: Parameters: Name of the global group account, domain of the global group account, SID string of the global group account, user name of subject deleting the global group, domain name of subject deleting the global group, logon ID string of subject deleting the global group. 635 Security Disabled Local Group Created: Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account. 636 Security Enabled Local Group Member Added: Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 637 Security Enabled Local Group Member Removed: Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 638 Security Enabled Local Group Deleted: Parameters: Name of group account being deleted, domain of the group account, SID string of group account, user name of subject deleting the account, domain name of subject deleting the account, logon ID string of subject deleting the account. 639 Security Enabled Local Group Changed: Parameters: Name of group account being changed, domain of group account, SID string of group account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 641 Security Enabled Global Group Changed: Parameters: Name of group account being changed, domain of group account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. 642 User Account Changed: Parameters: Name of user account, domain of user account, SID string of user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. 643 Domain Policy Changed: Parameters: Domain policy that was modified, domain name, domain ID, caller user name, caller domain, caller logon ID, privileges used. 644 User Account Locked Out: Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. When an account is locked out, two events will be logged at the PDC Emulator. A 644 event will occur, indicating that the account name was locked

out. Then a 642 event will be recorded, indicating that the user account is now locked out. This event is only logged at the PDC emulator. 645 A computer account was created: Parameters: Name of new computer account, domain of new computer account, SID string of new computer account, user name of subject creating the computer account, domain name of subject creating the computer account, logon ID string of subject creating the computer account, privileges used to create the computer account. 646 A computer account was changed: Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject changing the computer account, domain name of subject changing the computer account, logon ID string of subject changing the computer account, privileges used to change the computer account. 647 A computer account was deleted. Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject deleting the computer account, domain name of subject deleting the computer account, logon ID string of subject deleting the computer account, privileges used to delete the computer account. 648 A local security group with security disabled was created. Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account, privileges used to create the account. 649 A local security group with security disabled was changed. Parameters: Name of group account, domain of group account, SID string of group account, user name of subject modifying the account, domain name of subject modifying the account, logon ID string of subject modifying the account, privileges used to modify the account. 650 A member was added to a security-disabled local security group: Parameters: SID string of member being added, name of security-disabled local security group account, domain of security group account, SID string of security-disabled local security group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the securitydisabled local security group, logon ID string of subject changing the membership of the security-disabled local security group. 651 A member was removed from a security-disabled local security group. Parameters: SID string of member being removed, name of security-disabled local security group account, domain of security-disabled security group account, SID string of local security group account, user name of subject changing the membership of the securitydisabled local security group, domain name of subject changing the membership of the security-disabled local security group, logon ID string of subject changing the membership of the security-disabled local security group. 652 A security-disabled local group was deleted. Parameters: Name of the securitydisabled local group, domain of security-disabled local group, SID string of securitydisabled local group, user name of subject deleting the security-disabled local group, domain name of subject deleting the security-disabled local group, logon ID string of subject deleting the security-disabled local group. 653 A security-disabled global group was created. Parameters: Name of new securitydisabled global group, domain of new security-disabled global group, SID string of new security-disabled global group, user name of subject creating the security-disabled global group, domain name of subject creating the security-disabled global group, logon ID string of subject creating the security-disabled global group. 654 A security-disabled global group was changed. Parameters: Name of securitydisabled global group, domain of security-disabled global group, SID string of securitydisabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group. 655 A member was added to a security-disabled global group. Parameters: SID string of

member being added, name of security-disabled global group, domain of securitydisabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the securitydisabled global group. 656 A member was removed from a security-disabled global group. Parameters: SID string of member being removed, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group. 657 A security-disabled global group was deleted. Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject deleting the security-disabled global group, domain name of subject deleting the security-disabled global group, logon ID string of subject deleting the security-disabled global group. 658 A security-enabled universal group was created. Parameters: Name of new group account, domain of new security-enabled universal group, SID string of new securityenabled universal group, user name of subject creating the security-enabled universal group, domain name of subject creating the security-enabled universal group, logon ID string of subject creating the security-enabled universal group. 659 A security-enabled universal group was changed. Parameters: Name of target security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the securityenabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group. 660 A member was added to a security-enabled universal group. Parameters: SID string of member being added, name of security-enabled universal group, domain of securityenabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group. 661 A member was removed from a security-enabled universal group. Parameters: SID string of member being removed, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group. 662 A security-enabled universal group was deleted. Parameters: Name of target account, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject deleting the security-enabled universal group, domain name of subject deleting the security-enabled universal group, logon ID string of subject deleting the security-enabled universal group. 663 A security-disabled universal group was created. Parameters: Name of new securitydisabled universal group, domain of new security-disabled universal group, SID string of new security-disabled universal group, user name of subject creating the securitydisabled universal group, domain name of subject creating the security-disabled universal group, logon ID string of subject creating the security-disabled universal group. 664 A security-disabled universal group was changed. Parameters: Name of securitydisabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.

665 A member was added to a security-disabled universal group. Parameters: SID string of member being added, name of security-disabled universal group, domain of securitydisabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group. 666 A member was removed from a security-disabled universal group. Parameters: SID string of member being removed, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group. 667 A security-disabled universal group was deleted. Parameters: Name of target account, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject deleting the security-disabled universal group, domain name of subject deleting the security-disabled universal group, logon ID string of subject deleting the security-disabled universal group. 668 A group type was changed. Parameters: Nature of group type change, name of group being changed, domain of group being changed, SID string of group being changed, user name of subject changing the group type, domain name of subject changing the group type, logon ID string of subject changing the group type. 684 Set the security descriptor of members of administrative groups. Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account. 685 A name of an account was changed. Parameters: Name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account. The following security events can be diagnosed using security log entries: Creation of a user account: Event ID 624, 626 identify when accounts are created, and enabled. User account password changed: The modification of a password by someone other than the user can indicate that an account has been taken over by another user. Look for Event ID s 627, 628 which indicate that a password change is attempted and successful. User account status changed: An attacker may attempt to cover their tracks by disabling or deleting the account used during an attack. All occurrences of Event ID s 629 and 630 should be investigated to ensure that these are authorized transactions. Modification of Security Groups: Membership changes to Domain Admins, Administrators, and of the operator groups, or custom global, universal or domain local groups that are delegated admin functions should be reviewed. For global groups membership modifications, review Event ID 632 and 633. For domain local group membership changes look for Event ID 636, 637. Account Lockout: When an account is locked out, two events will be logged at the PDC emulator operations master. A 644 event will indicate that the account name was locked out and then a 642 event is recorded, indicating that the user account is changed to indicate that the account is now locked out. Security Enabled Global Group Changes: Look for Event ID s 631-634. Examine these events for groups that have global or broad access privileges, along with the members put into these groups ( Domain Admins for example). Reviewing these events will give you the assurance that no changes outside the organizations policy for user account management is taking place, and if violations do occur they can be

quickly documented and reported to CISO, ISO, Management for further review. The group name that was changed is the Target Account Name field of the event. Security Enabled Local Group Changes: Look for Event ID s 635-638. Examine these events for groups such as Administrators, Server Operators and Backup Operators to ensure that no changes take place outside organizational policy. If changes are made that do not comply, these events will provide proof of the user that violated the policy and should be reported to CISO, ISO, and Management for further review. The group name that was changed is the Target Account Name field of the event. The group name that was changed is the Target Account Name field of the event. Security Enabled Group Changes: Look for Event ID s 639,641,668. These events indicate other changes to a group besides deletion, creation, or membership changes. You should examine these events for groups that have high privilege levels within your organization, and ensure all changes are authorized. Again if you find unauthorized changes, report them to your CISO, ISO, and Management for further review. The group name that was changed is the Target Account Name field of the event. Security Enabled Universal Group Changes: Look for EventID s 659-662. Examine for groups that have high privilege levels, such as Enterprise Admins or Schema Admins, to ensure that no changes takes place outside policy constraints. The group name that was changed is the Target Account Name field of the event. Table 3.4 Common Object Access Events Event ID Description 560 Access was granted to an already existing object. Parameters: Object server, object type, object name, handle ID, operation ID, process ID, image file name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, access privileges, restricted SID count. Check the Primary Logon ID, Client User Name, and Primary User Name fields to detect unauthorized attempts to change file permissions. Check the Accesses field to identify the operation type. The acting user is the Client User ( If present) otherwise it s the Primary User. 561 A handle to an object was allocated. 562 A handle to an object was closed. Parameters: Object server, handle ID, process ID, image file name. 563 An attempt was made to open an object with the intent to delete it. Parameters: Object server, object type, object name, handle ID, operation ID, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges. 564 A protected object was deleted. Parameters: Object server, handle ID, process ID. 565 Access was granted to an already existing object type. Parameters: Object server, object type, object name, handle ID, operation ID, process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges, properties. 566 A generic object operation took place. Parameters: Operation type, object type, object name, handle ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, properties. 567 A permission associated with a handle used. Parameters: Name of the object being accessed, object server, handle ID, object type, process ID, access mask. ( This event occurs on the first instance of an access type (list, read, create, etc etc) to an object. To correlate with event 560, compare the Handle ID fields of the two events. 568 An attempt was made to create a hard link to a file that is being audited. Parameters: Primary user name, primary domain, primary logon ID, object name, link name.

The following security events can be diagnosed by using security log entries. Object failure auditing: All systems should have failure object access auditing for files, folders, and will show event ID 560 when triggered. The event ID will be recorded in the security event log and will detail the file access prohibited, to whom it was prohibited, the date, time of the attempted access and what access was requested. Table 3.5 Common Policy Change Events Event ID Description 608 A user right was assigned 609 A user right was removed 610 A trust relationship with another domain was created. 611 A trust relationship with another domain was removed. 612 An audit policy was changed. 613 An IPSEC Policy agent was started. Parameters: Policy Source. 614 An IPSEC Policy Agent was disabled: Parameters: Policy source. 615 An IPSEC Policy Agent changed. Parameters: Policy Source. 616 An IPSEC Policy Agent encountered a potentially serious failure. Parameters: Policy Source. 617 A Kerberos Policy changed: Parameters: Changed By (User name, domain Name, logon ID) 618 Encrypted Data Recovery Policy Changed: Parameters: Changed By ( User name, Domain Name, logon ID) 620 A trust relationship with another domain was modified: Parameters: Trusted domain information modified (domain name, domain ID), modified by (user name, domain name, logon ID), trust type, trust direction, trust attributes. 621 System Access was granted to an account: Parameters: Access Granted, account modified, assigned by (Username, domain name, and logon ID) System access permissions can be the following: Interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive. 622 System Access was removed from an account: Parameters: Access removed, account modified, assigned by (user name, domain name, and logon ID) System access permissions are the same as listed in event ID 621. 671 Security Policy was changed or refreshed ( _ in the changes made field means that no changes were made during the refresh.) 768 A collision was detected between a namespace element in one forest and a namespace element in another forest. Parameters: Target type, target name, forest root, top level name, DNS name, NetBIOS name, SID, new flags. When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each namespace element. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for a "TopLevelName" namespace element. 769 Trusted Forest Information was added: Parameters: Forest Root, Forest Root SID, Operation ID, Entry Type, Flags, Top Level Name, DNS Name, Netbios Name, Domain SID, added by client user name, client domain, client logon ID. This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for an entry of type "TopLevelName".

770 Trusted Forest information was deleted: Parameters: Forest Root, Forest Root SID, Operation ID, Entry type, flags, top level name, DNS Name, Netbios name, Domain SID, deleted by client user name, client domain, client logon ID. This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for an entry of type "TopLevelName". 771 Trust Forest Information was modified: Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID. This event message is generated when forest trust information is updated and one or more entries are modified. One event message is generated per modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName". Note: Use of the auditpol.exe utility will allow you to change the policy settings on systems via the command-line if desired. Although it is best practice that a uniform policy is applied to all similarly configured systems ( member servers, DC s, Web-servers, SQL Servers) The following security events can be diagnosed by using security log entries. Unauthorized Policy Changes: Event ID s 608, 609 will show if a number of attacks have been attempted. Most deal with elevation of user rights as denoted below: ( can use Ntrights.exe from the resource kit to manipulate the user rights on any system in the domain. ) Act as part of the operating system: Look for Event ID 608 and 609 with user right SeTcbPrivilege in the event details. Add workstations to the domain: Look for Event ID s 608, 609 with the user right SeMachineAccountPrivilege. Back up Files and Directories: Look for Event ID s 608,609 with user right SeBackupPrivilege in the event details. Bypass Traverse checking: Look for events with user right SeChangeNotifyPrivilege in the event details. Change the system time: Look for events with user right SeSystemtimePrivilege in the event details. Create Permanent shared objects: Look for events with the user right SeCreatePernamentPrivilege in the event details. Debug programs: Look for events with user right SeDebugPrivilege in the event details. Force Shutdown from a remote system: Look for events with user right SeRemoteShutdownPrivilege in the event details. Increase scheduling priority: Look for events with user right SeIncreaseBasePriorityPrivilege in the event details.

Load and unload device drivers: Look for events with user right SeLoadDriverPrivilege in the event details. Manage Auditing and Security log: Look for events with user right SeSecurityPrivilege in the event details. A user with this right can view and clear the security log. ( Should be extremely restricted) Replace a process level token: Look for events with user right SeAssignPrimaryTokenPrivilege in the event details. Restore Files and directories: Look for events with user right SeRestorePrivilege in the event details. Shutdown down the system: Look for events with user right SeShutdownPrivilege in the event details. Take ownership of files or other objects: Look for events with user right SeTakeOwnerShipPrivilege in the event details. ( * extremely restricted right) Table 3.6 Common Privilege Use Events EVENT ID DESCRIPTION 576 Specified privileges were added to a user s access token. ( Event is generated when a user logs on.) Parameters: Special privileges assigned to the new user (SeChangeNotifyPrivilege, SeAuditPrivilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege), user name, domain, logon ID, privileges. 577 A user attempted to perform a privileged system service operation. Parameters: Privileged service called, server, service, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges. 578 Privileges were used on an already open handle to a protected object. Parameters: Privileged object operation, object server, object handle, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges. The following security events can be diagnosed by using security log entries. Look for event ID 577 for the following User rights to determine if changes from your baseline are being attempted. 1) SeMachineAccountPrivilege 2) SeSystemTimePrivilege 3) SeBackupPrivilege 4) SeRemoteShutdownPrivilege 5) SeDebugPrivilege 6) SeLoadDriverPrivilege 7) SeSecurityPrivilege 8) SeAssignPrimaryTokenPrivilege 9) SeRestorePrivilege 10) SeShutdownPrivilege 11) SeTakeOwnerShipPrivilege. Table 3.7 Common Process Tracking Events Event Id Description 592 A new process was created. Parameters: New process ID, image file name, creator process ID, user name, domain logon ID. 593 A process exited. Parameters: Process ID, image file name, user name, domain name,

logon ID. 594 A handle to an object was duplicated. Parameters: Source handle ID, source process ID, target handle ID, target process ID. 595 Indirect access to an object was obtained. Parameters: Object type, object name, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses. 596 A data protection master key was backed up. Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifies the key on the domain controller that was used to encrypt the master key), failure reason. The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created (the default is 90 days). The key is usually backed up to a domain controller. 597 A data protection master key was recovered from a recovery server. Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifying the key on the domain controller used to encrypt the master key), failure reason. 598 Auditable data was protected. Parameters: Data description, key ID (the master key GUID), protected data flags (CRYPTPROTECT_AUDIT, which indicates that the audit should be generated or CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason. 599 Auditable data was unprotected. Parameters: Data description, key ID, protected data flags (including CRYPTPROTECT_AUDIT, which indicates that the audit should be generated, and CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason. Note: Tracking Processes will cause a large amount of audit log entries and cause adverse effects to your systems, use this sparingly. Table 3.8 Common System Events Event Id Description 512 Windows is starting up. 513 Windows is shutting down. 514 An authentication package was loaded by the Local Security Authority (LSA). Parameters: Authentication package name. 515 A trusted logon process has registered with the LSA. Parameters: Logon process name. 516 Internal Resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages. Parameters: Number of audit messages discarded. You need to adjust the amount of auditing you are doing, looking for auditing on processes success turned on. 517 The security log was cleared. Parameters: Primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID. Is this a valid clearing of the security log? Or is it a rogue admin trying to cover his tracks.. 518 A notification package was loaded by the Security Accounts Manager (SAM). Parameter: Notification package name. 519 A process is an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address. Parameters: Process ID, type of invalid use (either impersonation or reply), server port name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID. 520 System time was changed. Parameters: Process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID,

previous time, new time. The following security events can be diagnosed by using security log entries. Computer Shutdown/Restart: Event ID 513 shows Windows shutting down. Tracking this along with the successful SeShutdownPrivlege, SeRemoteShutdownPrivilege will determine when and whom shutdown your systems. Modifying or Clearing of the Security Log: An attacker will try to modify the security logs, or disable auditing during an attack or clear the event log to prevent detection. If you notice large blocks of time with no entries in the security log look for event ID 612 and 517 to determine which user modified the security policy. Kerberos Errors and troubleshooting: First must ensure that the PC or system can connect to the following ports: UDP/TCP port 53 for DNS. UDP/TCP port 88 for KDC TGS. UDP/TCP port 123 For Time Service. TCP port 464 for Microsoft Kerberos change password protocol. TO view these errors you must set the following key on the Domain Controller and reboot. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Type: REG_DWORD Value Date: 0x1 Quit the registry editor and reboot the system. Utilities used to troubleshooting the issues are the following: Klist.exe ( Windows 2000, 2003 resource tools) http://go.microsoft.com/fwlink/?linkid=16544. Kerbtray (Windows 2000, 2003 resource tools) http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/kerbtray-o.asp Kerberos Errors will show up with event ID 4, 594.!"# $ $ &" 0!1"! 0!1" ##06 - ' ' 2 2 5 5!% () *% )+) 34* +4!%34* +4 7 7 8)!% ()*" ),-.$ 1*34* 4 1%34* -% * *

**#* :*+ )* +): 8+ #8*+ ) )* 8)9) * 9+4)+..! ##06 - = =!%8) )+*) 1)).! %**. **%*.*!*8!%*!! 8+: )<%* ##0 16#A6 B B ) * This error occurs if duplica exist. Unique principal nam ensuring mutual authentica or LDIFDE utility and dire Troubleshooting Kerberos steps to remove SPN. 600C D D 1*%) 4 )%).**) 1!11 1*4:8 : 1**)8* 81*4 ():*43 18))-. :* :8*41 #*)8+,6-'$+*++ ""0# 0#C & 1# ()+ + * $ *;*() ' ***++ () 1*+) 8*. -'$+)8+ 1*+) *8* E+.*8 6**)8: *888+ 1.8* 81F1

1C!6 2!61C!6 8 5 11C!6 7 11C!6 = 0#1" ) 8 * ) 8 **4)+ ) 8 ) 8 $ B *% %4 '/ 1!,!%*.** :* :HC 8+.4* *: +*,* + )! / *+ )**).: %*.* :E+ : http://go.microsoft.com/fw 1..) 8 @ $/ 6# 6 + ) *4.*3) $/*+:8+ -.$'3 )**) ::: 19%*.*% * *+ ))* ++6# :. *4!+0: *8** 8. (),"8 %8**8 :)</ By default, the address fie and realm, the list of transit initial authentication, the ex authorization data of the ne be copied from the ticket-g or renewable ticket. If the t be updated, but the transite supported, the KDC_ERR_ error is returned. 1).4 **)9:+ + ):)

!"#" ' D 8%% %4 9 9*4 8% %4 1F1" 2 $ 1F1%4 11*4F:1*4 0#1 1C1!"# 1C1 C # 61?E#0 61?A6# 5 $ 7 $$ = $' B $2 D $5 %I: %9:!%%I:!%%9:. I *:. J)*8+.% J)* () 1? 11 K!)1)E) 6. 6+ ) &)**4+ ) 18**) *#1* J)*. &!A+:#8 (),8)/9-1)**) *: *+.* * + * *:)*:.!"6"#0&0 K!116! 0 F!"! "8!) ** **+* & &#1F#1C &11 # &11C" &1 8 ' #:**4* 88 $'$ 1*4 $'' 1*4% $$'2 () 1)*. +: )** +:,!+ $D& 1+ %)8 8)*4 4. *4.)+ :. )*48+% F) *;* 1*4 %, *) * -'$+8) % 1* )*.) * *% *)8&.4

& 16! &&1? &!- && & &"!# &!F1C & #E# & & & &C" $''5 1*438) $2'7 1*4)*3 +* $5'= *44.: $7'B #** *4 :!%*%*4 88+"8 ** *4 *.4 &1F!A,1*4: *:/: 1**)++,"8* * *8:)/ 1**4* *4.+ *8*+ )* F**4.'$+I%I*8- -'$+>*8:>*8+8.'$+>*8:>).'$+>*!1*4*).*%1 8*+ ) 88+% 1 *)*) %1,.4 % $='D *%++* *%++* $B 2 #%+: $D 2 :++8 $ 2$ :)8 $* 22! *8%84 % 6: +. *6) 8)* %)!)@E* &@ http://go.microsoft.com/fw :!+8 * *4 : :)8! *8%84 & C $ 25!%*4%!%*4% &61E#0 & &#1# &1? $ 27 )))*8 )))*8 $8 2= #**+:* #**+:* 7 2B %)* +()L -.%# %0:1*

&&!A & #!6 ' 2D '$ 5 #**()*)+ +: # 8 **4)++: &!!1 &#F '2 K!)#%&)8!< &F# &E#0 1 0 F - F0 ' 7 ' 7 22 K F*,* J E:8 + + 661F1) 8 )* M 8 ++9) +***) 48%#7=$97=' *): #**()*)+ # 8* 1<8*4 +%6# %+ ) 8* *4.1#8.4 %+.6# #1)8 *9.*) 1 8*8 http://go.microsoft.com/fw 1**)*) 1F1%+ *8,6.9.*) 18)+) / )*)+ 8 $/ # 8 ++)+ 14%: @>>:+*8 N$'22 '/ 614 :*4 2/ 1!) ++, 5/!:,6 %8! 7/!+ +* ) )! E:8+ 661F1) Users Rights ( How to determine which right does what and correctly modify these rights on multiple systems.)

When looking at User rights there is two sections that you need to concentrate on. One is the logon rights and second are privileges. Below will list the two sections and provide a brief explanation on what each means and an example on where you might utilize these. I have also provided suggestions on how to tweak and tighten security on your servers and workstations. User Right Access this computer from the network (SeNetworkLogonRight) Allow logon through Terminal Services(SeRemoteInteractiveLogonRight) Log on as a batch job (SeBatchLogonRight) Log on locally (SeInteractiveLogonRight) Description Allows a user to connect to the computer from the network. I would suggest that on servers you limit this right to Administrators and Authenticated users. To add additional isolation and security for the server and its functioning, add a Global Group with the correct users that will access the server via mapped network drives, and remove Authenticated users. Ensure you have auditing turned on for logon failure and track those that show up on failure, you will be surprised on how many you see. On workstations only administrators should have this right period. Allows a user to log on to the computer by using a Remote Desktop connection. ( Note you will only find this on Windows 2003 and XP machines. On the Windows 2000, the user logging on via Terminal Services must have logon locally use right, and also access via the terminal services connection. I recommend that only administrators have access to this, and remove remote desktop users. ( Workstation and servers) Allows a user to log on by using a batch-queue facility such as the Task Scheduler service. ( You will want to keep this to administrators and system only, remote Support_xxxxx name. When an administrator uses the Add Scheduled Task wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the "Log on as a batch job" right. When the scheduled time arrives, the Task Scheduler service logs the user on as a batch job rather than as an interactive user, and the task runs in the user's security context. The Support_xxxxxxxx account is the logon account for Remote Assistance. Allows a user to start an interactive session on the computer. It is recommended to remove all entries and put the global groups of your server administrators or IT team in its place. This ensures only approved IT team can login locally at a server or access it via Terminal services. Again this is a defense in depth measure and might not be available for implementation because of operational or political means. Users who do not have this right can start a remote interactive session on the computer if they have the "Allow logon through Terminal Services" right. This is why you want to limit both of these rights to local administrators or members of your IT team.

Log on as a service (SeServiceLogonRight) Deny access to this computer from the network(sedenynetworklogonright) Deny logon locally (SeDenyInteractiveLogonRight) Deny logon as a batch job(sedenybatchlogonright) Deny logon as a service(sedenyservicelogonright) Deny logon through Terminal Services(SeDenyRemoteInteractiveLogonRight) Privileges Act as part of the operating system(setcbprivilege) Allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in right to log on as a service. Any service that runs under a separate user account must be assigned the right. I would recommend that you only use accounts with privileges less than local administrators to assign this right to. Again a caveat to this is that some applications will cease to work because they don t have access to system files, registry or so-forth, which makes auditing your registry and file system that much more important for troubleshooting. Prohibits a user from connecting to the computer from the network. Again remember that deny overrules allow, therefore be cautious when adding users or groups to this right. If you have high profile workstations then definitely look into limiting right to connect over network and login locally to a restricted few users for better security. Prohibits a user from logging on directly at the keyboard. Again on servers I would recommend that service accounts be assigned this right to stop a vendor or admin from using a service account ( sometimes given local administrative privileges ) from being used to gain console access and manipulate system files and directories. On high profile workstations, I would add the groups of users that you ant to specifically deny access to these machines. Prohibits a user from logging on by using a batchqueue facility. I would recommend that you assign this right sparingly, and make sure high level accounts and groups are added to this right. You certainly wouldn t want a Domain Admin or Schema Admin running batch files or scheduled tasks which could affect the entire AD forest now would you? Prohibits a user from logging on as a service. I would recommend that you add (Domain Admins, Schema Admins, Enterprise Admins) and other sensitive accounts and groups to this right to tighten the security on your servers. Prohibits a user from logging on to the computer using a Remote Desktop connection. ( Again the first level of defense against users trying to login using terminal services ( RDP) to servers and workstations. Description Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege. When a service requires this privilege, configure the service to log on using the Local System account,

Add workstations to domain(semachineaccountprivilege) Adjust memory quotas for a process(seincreasequotaprivilege) Back up files and directories (SeBackupPrivilege) Bypass traverse checking(sechangenotifyprivilege) Change the system time (SeSystemTimePrivilege) Create a token object (SeCreateTokenPrivilege) which has the privilege inherently. Do not create a separate account and assign the privilege to it. No user accounts need this privilege, investigate any accounts given this privilege. Allows the user to add a computer to a specific domain. For the privilege to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain. Users can also join a computer to a domain if they have Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the "Add workstations to a domain" privilege. Allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial-of-service attack. Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Usually most 3 rd party backup systems either need a account with administrator privileges to run an agent, or has an agent to run and do the backups, so only having the administrators group listed for this privilege is a good security measure. Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. Allows the user to adjust the time on the computer's internal clock. This privilege is not required to change the time zone or other display characteristics of the system time. Limit this privilege to local administrators and trusted server administrators. Also on workstations only local administrators should have the right to change system time, this will ensure a user cant change the system time which can lead to Kerberos authentication issues within AD. Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs. When a process requires this privilege, use the Local System (or System) account, which has the privilege inherently. Do not create a separate user account and assign the privilege to it. It is recommended that no user accounts be given this

Create permanent shared objects(secreatepermanentprivilege) Create a pagefile (SeCreatePagefilePrivilege) Debug programs (SeDebugPrivilege) Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) privilege unless absolutely necessary. Allows a process to create a directory object in the object manager. This privilege is useful to kernelmode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently. No accounts should be assigned this privilege. Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive in the Performance Options box on the Advanced tab of System Properties. Again only administrators should have this right. Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. I would recommend that you remove the local administrators group assigned by default from this privilege and only reassign it when you need to debug a problem for best security posture. Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Default setting: Not assigned to anyone on member servers and workstations because it has no meaning in those contexts. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. For this to be possible, both client and server must be running under accounts that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources. Force shutdown from a remote system(seremoteshutdownprivilege) Generate security audits (SeAuditPrivilege) Allows a user to shut down a computer from a remote location on the network. To tighten security you could remove the default administrators group and add only a trusted set of administrators that can remotely shutdown server systems. Allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.

Increase scheduling Priority (SeIncreaseBasePriorityPrivilege) Load and unload device drivers (SeLoadDriverPrivilege) Lock pages in memory (SeLockMemoryPrivilege) Manage auditing and security log (SeSecurityPrivilege) Modify firmware environment values (SeSystemEnvironmentPrivilege) Perform volume maintenance tasks (SeManageVolumePrivilege) Profile single process (SeProfileSingleProcessPrivilege) Profile system performance (SeSystemProfilePrivilege) Remove computer from docking station Allows a user to increase the base priority class of a process. (Increasing relative priority within a priority class is not a privileged operation.) This privilege is not required by administrative tools supplied with the operating system but might be required by software development tools. Allows a user to install and remove drivers for Plug and Play devices. This privilege is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Its best to leave the default setting of administrators set for this privilege. Do not assign this privilege to any user or group other than Administrators. Device drivers run as trusted (highly privileged) code. A user who has "Load and unload device drivers" privilege could unintentionally install malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signatures. Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. It is recommended that you don t assign any account this privilege. The system account has this privilege by default. Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not performed unless you enable it by using Audit Policy (under Security Settings, Local Policies). A user who has this privilege can also view and clear the security log from Event Viewer. It is recommended that only administrators have this right, and that clearing of the event logs be highly scrutinized. Allows modification of system environment variables either by a process through an API or by a user through System Properties. Allows a non-administrative or remote user to manage volumes or disks. The operating system checks for the privilege in a user's access token when a process running in the user's security context calls SetFileValidData(). Only administrators by default have this privilege. Allows a user to sample the performance of an application process. It is recommended that only administrators have this right. To tighten security remove the Power users group. Allows a user to sample the performance of system processes. This privilege is required by the Performance snap-in only if it is configured to collect data by using Windows Management Instrumentation (WMI). Allows the user of a portable computer to undock

(SeUndockPrivilege) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Restore files and directories (SeRestorePrivilege) Shut down the system (SeShutdownPrivilege) Synchronize directory service data (SeSyncAgentPrivilege) Take ownership of files or other objects (SeTakeOwnershipPrivilege) the computer by clicking Eject PC on the Start menu. Allows a parent process to replace the access token that is associated with a child process. Usually only Local Service, Network Service and Local System have this privilege. It is recommended that no user or administrative account be given this privilege. Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. Its recommended only the local administrators group have this privilege. Allows a user to shut down the local computer. On servers, only the administrators group should have this right. If you want to tighten security remove the administrators group and add a trusted group of administrators. Allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. This privilege is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services. Do not assign this privilege to anyone, this is only applicable to domain controllers. Allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. Only administrators or other trusted group should ever be assigned this privilege. A common utility to set user rights and privileges by the command line is ntrights.exe from the Windows 2003 resource kit. Another utility to view and dump the user rights and privileges from a GUI, is dumpacl.exe from somarsoft software. Example 1) Listing of ntrights.exe NTRights.Exe - Grants/Revokes NT-Rights to a user/group usage: -u xxx User/Group -m \\xxx machine to perform the operation on (default local machine) -e xxxxx Add xxxxx to the event log -r xxx revokes the xxx right +r xxx grants the xxx right valid NTRights are: SeCreateTokenPrivilege SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeIncreaseQuotaPrivilege SeUnsolicitedInputPrivilege SeMachineAccountPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege

SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeCreatePermanentPrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege SeRemoteShutdownPrivilege ( Note: You see that not all the rights/privileges listed above are shown) Another utility that you can use is showpriv.exe from the Windows 2003 Resource Kit along with psexec.exe from System Internals site to script checking of the following permissions. ShowPriv.exe Displays the trustees assigned to a privilege (user right). (c) 1999 Microsoft Corporation. Usage: showpriv <privilegename> where <privilegename> is a valid Windows NT privilege string. Example: showpriv SeSecurityPrivilege Privileges: SeCreateTokenPrivilege SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeIncreaseQuotaPrivilege SeMachineAccountPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeCreatePermanentPrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege SeRemoteShutdownPrivilege SeUndockPrivilege SeSyncAgentPrivilege SeEnableDelegationPrivilege Example 2: Show privileges on a remote machine using psexec and showpriv.exe ( Note both utilities must be in a directory which is in your %PATH% variable for this to work) psexec -c \\severname showpriv SeShutdownPrivilege 1 account(s) with the SeShutdownPrivilege user right: BUILTIN\Administrators All accounts enumerated showpriv.exe exited on servername with error code 0. ( what you should see) Also you can list the privileges assigned to a computer via the graphical utility called dumpacl.exe which an example is listed below:

You can also preconfigure your systems using Microsoft Security templates to add the proper accounts to rights and privileges within your server and workstation systems. I recommend that you consult the Microsoft documentation and test your templates before committing to applying to your enterprise. Security and Auditing of Services, Registry and Filesystem ( How to determine what the security is on services, registry and file system are, how to modify their security and audit your modifications) I would caution you to make sure you download the latest version of subinacl.exe from the Microsoft Download site, which is 5.2.3790.1180. Also before you make any changes to your system please ensure you have a good backup of the system and a tested back out script for your changes.

Services: ( Permissions review, modification of permissions, and auditing of services) Listed below are the permissions that can be applied to a service: 18.:%8%*@ E) F*! F*- " F**) * # A)!%*8:) $ A)!%*!) )+!%*!%*:8:)!!%* %!!%* & )>)!%* #:!%*!%*6J8++ The piece of information you will need to view the DACL (Discretionary Access Control List), SACL ( Security Access Control List ( Used in auditing) will be the service name. You can obtain the service name by using services.msc MMC snapin. Lets take an example of the Alerter service and what its DACL is on a Windows XP workstation. subinacl /verbose=1 /service Alerter /display=dacl ================= +Service Alerter ================= /perm. ace count =4 /grant=system=lqsetopiu /grant=builtin\administrators=f /grant=authenticated users=lqseiu /grant=builtin\power users=lqsetopiu Elapsed Time: 00 00:00:00 Done: 1, Modified 0, Failed 0, Syntax errors 0 Last Done : Alerter Therefore the permissions for the following groups are: System: Read Control, Query Service Configuration, Query Service Status, Enumerate Dependent Services, Start, Stop Pause/Continue Service, Interrogate Service, Service user-defined control commands. Administrators: Full Control ( which includes all the commands)

Authenticated Users: Read Control, Query Service Configuration, Query Service Status, Enumerate Dependent Services, Interrogate, Service user-defined control commands. Power Users: Read Control, Query Service Configuration, Query Service Status, Enumerate Dependent Services, Start, Stop, Pause/Continue, Interrogate, Service user-defined control commands. Now ask yourself the question: If I go to put a user/group in the Power Users Group on a workstation or server for them to do what they need to do, how do I lock them down or determine what they can touch services wise. ( Servers you don t give them any access unless in Terminal Services Environment, but on workstations do you really want them starting and stopping multiple services on workstations which might violate your security policy?) Well the answer is simple: You remove the permissions from the User/Group to that service as shown below. ( Lets say for this example I don t want the Power users to be able to stop, start, or pause and continue the Alerter Service due to security reasons.) subinacl /verbose=1 /service Alerter /grant="power Users"=lqseiu ( Note the original permissions was lqsetopiu all I did is recalculated the permissions and excluded the top and regranted) Now to view them, all I do is issue the following command: subinacl /verbose=1 /service Alerter /display=dacl ================= +Service Alerter ================= /perm. ace count =4 /grant=system=lqsetopiu /grant=builtin\administrators=f /grant=authenticated users=lqseiu /grant=builtin\power users=lqseiu Elapsed Time: 00 00:00:00 Done: 1, Modified 0, Failed 0, Syntax errors 0 Last Done : Alerter Now Power Users don t have the rights to start, stop or pause/continue the alerter service. If you need to add a user or group to have the rights to start, stop or pause/continue this service just use the /grant command with the user or group that needs these rights. Now since we changed the rights to a service, don t you think we should check and see what the auditing on this service is, and if it meets our needs? ( Yes this does sound like a good idea to me) Lets investigate what the SACL ( Security Access Control List) is by issuing the following command: subinacl /verbose=2 /service Alerter /display=sacl +Service Alerter /audit ace count =1 /aace =everyone SYSTEM_AUDIT_ACE_TYPE-0x2 FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80 SERVICE_ALL_ACCESS ( Means everyone failure, all events) Elapsed Time: 00 00:00:00 Done: 1, Modified 0, Failed 0, Syntax errors 0 Last Done : Alerter

So if a wanted to audit the success of my user account stopping, starting and pause/continue of this service, I would do the following: subinacl /verbose=1 /service Alerter /sgrant="domainname\eziots"=top Alerter : new ace for DOMAINNAME\eziots Alerter : 1 change(s) C:\Program Files\Windows Resource Kits\Tools>subinacl /verbose=2 /service Alerter /display=sacl +Service Alerter /audit ace count =3 /aace =everyone SYSTEM_AUDIT_ACE_TYPE-0x2 FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80 SERVICE_ALL_ACCESS ( This was the original) /aace =Domainname\eziots SYSTEM_AUDIT_ACE_TYPE-0x2 SUCCESSFUL_ACCESS_ACE_FLAG-0x40 SERVICE_START-0x10 SERVICE_STOP-0x20 SE RVICE_PAUSE_CONTINUE-0x40 ( I added myself with success audits of Start, Stop, Pause and Continue) Well what if I make a mistake, instead of putting DOMAINNAME\eziots I put an account that doesn t exist like computername\eziots. Well here is the fix. subinacl /verbose=1 /service Alerter /sgrant="eziots"=top ( This is bad because I have no account on my PC as eziots) Well if I issue the following command I will be able to remove this Aace. subinacl /verbose=1 /service Alerter /sgrant="eziots"= ( This blanks out and removes the bad entry) These same commands can be applied to any and all installed Windows Services, which if planned and implemented properly you can achieve very fine-tuned control and back this up with auditing for your services on both your servers and workstations. Think of the possibilities when designing secure server and workstation based solutions.