Audtng Wndows & Actve Drectory Changes va Wndows Event Logs Ths document takes a lghtweght look at the steps and consderatons nvolved n settng up Wndows and/or Actve Drectory event log audtng. Settng up event log audtng s requred for mplementaton of any event management soluton that reles on Wndows event logs such as SIEMs (Securty Incdent and Event Management) and other log management systems. Ths document s not ntended to be a techncal reference or an otherwse complete analyss. It wll am to dentfy some of the consderatons and complexty related to Wndows event loggng. And, of course, pont out along the way where NetVson s approach gets better results. Generally speakng, event Log audtng can be confgured n four easy steps: 1. Determne Whch Events You Need 2. Enable Audtng on Desred Objects 3. Confgure Event Log Settngs 4. Confgure Event Management Soluton LOL! Step 1 Determne Whch Events You Need Understandng whch events you need to keep track of, and ther assocated event IDs s crtcal to capturng a full audt tral from the Wndows event log. For example, you mght want to capture securty group membershp changes. A quck web search may lead you to the 632 event. NetVson provdes a complete set of templates and tools to track the changes you need wthout the need to understand Event IDs or log lmtatons. 632 - Securty Enabled Global Group Member Added But keep n mnd that 632 events don t tell the whole story. They only apply to Wndows Server 2003 (and pror) and there are a number of other events n Server 2003 also related to group membershp changes: 631 - Securty Enabled Global Group Created 632 - Securty Enabled Global Group Member Added 633 - Securty Enabled Global Group Member Removed 634 - Securty Enabled Global Group Deleted 635 - Securty Enabled Local Group Created 636 - Securty Enabled Local Group Member Added 637 - Securty Enabled Local Group Member Removed 638 - Securty Enabled Local Group Deleted 1 2011 NetVson
639 - Securty Enabled Local Group Changed 641 - Securty Enabled Global Group Changed 658 - Securty Enabled Unversal Group Created 659 - Securty Enabled Unversal Group Changed 660 - Securty Enabled Unversal Group Member Added 661 - Securty Enabled Unversal Group Member Removed 662 - Securty Enabled Unversal Group Deleted 668 - Group Type Changed NOTE: Each verson of Wndows has a slghtly dfferent set of events and event behavor. It s mportant to consult the documentaton for each verson represented n your envronment. Q U I Z? Whch attrbutes are tracked wth a group changed 639, 641, or 659 event? Hnt: samaccountname was added for Wndows 2003 As the admnstrator of a system collectng audt logs from Actve Drectory, you should be very comfortable wth the dfference between a Global, Local, and Unversal Groups. And you need to be aware that a report on all group membershp changes would need to nclude numerous event IDs. You ll need to fnd a good resource on whch attrbutes get pcked up by whch events. Many attrbute changes aren t audted at all by these events. If, for example, someone Wndows Server 2008 adds a changes the descrpton feld of a securty group to make the number of event IDs that group look more nnocuous, that change would not be logged would be requred for full by any of the precedng securty events. coverage of group changes n a mxed envronment. You may also see a number of events showng up n the logs assocated to Securty Dsabled groups. As a professonal AD admnstrator, you know these are smply dstrbuton groups, but f you have busness owners or audtors revewng log reports or provdng attestaton of changes and rghts, you ll need to dstngush between group types and the related securty mplcatons. In Wndows 2008, thngs change qute a bt as Mcrosoft ntroduced four-dgt event IDs and subcategores for the man audt categores. The good news about subcategores s that you get some basc control that you don t have n Server 2003 to control the flow of events comng through the event log. For example, computer account changes don t have to be treated the same as user account changes. The bad news s that t s not as smple as a few mouse clcks. And control s only granted at that very coarse level. You stll don t have the ablty to flter based on a subset of user accounts or groups, whch can be crtcal functonalty. NetVson makes flterng Easy! 2 2011 NetVson
Management of subcategores n Wndows Server 2008 s done through a command-lne tool (audtpol.exe) and any behavors that are set must be appled to each DC because the subcategores are not mplemented va GPOs. It s possble, though, to scrpt the audt changes and deploy to the DCs va a GPO deployment scrpt. Wat... what? Below are the Wndows 2008 Audt subcategory events that are most mportant for securty access-related event montorng. Wndows 2008 Audt Category: Account Management Subcategores User account management Computer account management Securty group management Dstrbuton group management Applcaton group management Other account management event Q U I Z? What s the precse lst of event IDs requred to capture Securty Group membershp changes across a mxed 2003 and 2008 envronment? Subcategory: Securty Group Management 4727 - A securty-enabled global group was created. 4728 - A member was added to a securty-enabled global group. 4729 - A member was removed from a securty-enabled global group. 4730 - A securty-enabled global group was deleted. 4731 - A securty-enabled local group was created. 4732 - A member was added to a securty-enabled local group. 4733 - A member was removed from a securty-enabled local group. 4734 - A securty-enabled local group was deleted. 4735 - A securty-enabled local group was changed. 4737 - A securty-enabled global group was changed. 4754 - A securty-enabled unversal group was created. 4755 - A securty-enabled unversal group was changed. 4756 - A member was added to a securty-enabled unversal group. 4757 - A member was removed from a securty-enabled unversal group. 4758 - A securty-enabled unversal group was deleted. 4764 - A group s type was changed. Wrte these down... you may need them Subcategory: User Account Management 4720 - A user account was created. 4722 - A user account was enabled. 4723 - An attempt was made to change an account's password. 4724 - An attempt was made to reset an account's password. 4725 - A user account was dsabled. 4726 - A user account was deleted. 3 2011 NetVson
4738 - A user account was changed. 4740 - A user account was locked out. 4765 - SID Hstory was added to an account. 4766 - An attempt to add SID Hstory to an account faled. 4767 - A user account was unlocked. 4780 - The ACL was set on accounts whch are members of admnstrators groups. 4781 - The name of an account was changed: 4794 - An attempt was made to set the Drectory Servces Restore Mode. 5376 - Credental Manager credentals were backed up. 5377 - Credental Manager credentals were restored from a backup. Wndows 2008 Audt Category: Drectory Servce Access Subcategores Drectory servce access Drectory servce changes Drectory servce replcaton Detaled drectory servce replcaton Q U I Z? If a user s added to a group, wll you see the change n a 4738 event? New for Server 2008, under the Drectory Servce Changes subcategory, Wndows can generate events whch capture before and after values related to drectory object changes. Note, however, that there are actually two events generated: one wth the prevous value and one wth the new value. Ths may complcate audt tral reportng and event response. 5136 - Modfy An attrbute for an exstng object has been modfed 5137 - Create A new object has been created 5138 - Undelete An object has been undeleted 5139 - Move An object has been moved Ha ha - "may" complcate? Note that a 5136 event wll not capture create, delete, undelete or move events, even though those events may logcally be thought to be changes. So, set expectatons on reports accordngly. The delete event below s avalable only n Wndows Vsta Servce Pack 1 and n Wndows Server 2008 so be sure systems are up to date f you ntend to rely on the audt tral of delete events. NetVson captures full before & after values on ANY attrbute changes n a sngle event along wth WHO dd t for real-tme remedaton. 5141 - A drectory servce object was deleted 4 2011 NetVson
An mportant note on use of the Server 2008 event subcategores: To set any subcategory event behavor to dffer from the man audt category settngs, a command lne tool called audtpol.exe must be used. Thngs to consder before usng audtpol.exe to set subcategory audt settngs From: http://support.mcrosoft.com/kb/921469 The procedure assumes that: o You are famlar wth the followng technologes and tools: Group Polcy startup scrpts Group Polcy Management Console The Audtpol.exe command-lne tool o You have a basc understandng of batch fle processng. Ouch! ths s a lot o You are famlar wth the scrpts that the procedure uses work to overrde legacy doman-based audt polcy settngs wth the detaled audt polcy settngs that are avalable n Wndows Vsta. If you do not want to confgure the detaled audt polcy settngs that are avalable n Wndows Vsta, do not use the procedure that ths artcle dscusses. A legacy polcy overwrtes the audtpol settngs only f the audtpol settngs are defned explctly n the legacy polcy. Ths behavor s by desgn. Addtonally, f the audtpol settngs are specfed as No audtng or as not defned, the audtpol settngs have precedence and are not overwrtten by the legacy polcy. NOTE: If you encounter an ssue where the command lne nstructons you sent are no longer appled after a reboot, please refer to KB 971259 for nstructons on applyng the Hotfx to each of the servers that you ntend to audt. In some cases, Account Name, Account Doman, and Securty ID felds are not populated n event ID 5136 for "Drectory Servce Changes" on a computer that s runnng Wndows Server 2008. A hotfx s avalable. See: http://support.mcrosoft.com/kb/975696. Please keep n mnd that events wll only be generated for AD objects f the object's audt polcy has audtng enabled for the propertes or actons nvolved and for the user performng the acton or a group to whch the user belongs. (See next secton for detals.) A L E R T! Wndows event logs may generate numerous log events for a sngle realworld acton. So, event IDs, patches, audt polces, command lne tools... ths s gettng complcated! 5 2011 NetVson
Step 2 Enable Audtng on Desred Objects Once you have selected the event types that apply to your organzaton, you need to also ensure that the objects whch you want to montor are confgured correctly for audtng. Just as selectng event IDs s complcated, understandng and confgurng objects for audt s also complcated and dffcult to mantan over tme. Typcally, enablng audt on drectory objects s as smple as enablng Audt Account Management n the approprate GPO. Keep n mnd, though, that audt settngs dffer slghtly n varous versons of Wndows, so f you have a mxed envronment, be sure to consult each versons documentaton for approprate audt settngs. And be sure that the GPO s confgured approprately on each Actve Drectory Doman Controller. NetVson s approach elmnates the need to manage audt settngs across both drectory and fle system objects. In stuatons where you re lookng for a more refned soluton perhaps flterng out computer account changes, refer to the above dscusson of Server 2008 subcategores. Addtonally, you can utlze ADSIEdt to apply a don t audt flag on attrbutes that you d lke to have fltered out of audtng. Note that ths removes ALL audtng of that attrbute for ALL objects. You cannot dstngush, for example, between hgh-rsk user accounts and other accounts. To enable audtng of Actve Drectory objects n Server 2003: From: http://support.mcrosoft.com/kb/814595 Confgure an audt polcy settng for a doman controller. When you confgure an audt polcy settng, you can audt objects but you cannot specfy the object you want to audt. Confgure audtng for specfc Actve Drectory objects. After you specfy the events to audt for fles, folders, prnters, and Actve Drectory objects, Wndows Server 2003 tracks and logs these events. You must grant the Manage Audtng and Securty Log user rght to the computer where you want to ether confgure an audt polcy settng or revew an audt log. By default, Wndows Server 2003 grants these rghts to the Admnstrators group. The sze of the Securty log s lmted. Because of ths, Mcrosoft recommends that you carefully select the fles and the folders that you want audt. Also consder the amount of dsk space that you want to devote to the Securty log. The maxmum sze s defned n Event Vewer. 6 2011 NetVson
There are many artcles that dscuss the ntrcaces of enablng audtng on Wndows objects. Ths one helps you determne the effectve audt polcy n Wndows 2008 based on all the varous ways to apply audt settngs: http://blogs.technet.com/b/askds/archve/2011/03/11/gettng-the-effectve-audtpolcy-n-wndows-7-and-2008-r2.aspx The author makes the pont that you should not trust any of the Group Polcy reportng tools when t comes to audt settngs. That does'nt make me feel good Step 3 Confgure Event Log Settngs Once you have your events selected and audtng s enabled on all n-scope objects, the next step s to confgure settngs on the event logs themselves to support the expected behavor. Some of the confguraton optons that you ll need to consder and confgure nclude: Log Fle Path Enables you to select a locaton to whch the event logs wll be wrtten. If you re plannng to ntegrate wth a log collectng soluton, you may need or want to set the log fle path for logs on each n-scope server. NetVson requres no audt polcy confguraton, attrbute changes, command lne programmng, or event log confguraton. And gets more relable event data. Securty on Event Logs Be sure to consder event log securty so that advanced users lookng to cover ther tracks cannot clear logs whch may hold vtal evdence. If the log securty polcy s not enabled, all authentcated users would have access to wrte & clear applcaton logs. System and Securty logs can, by default, be cleared by system software or system admnstrators. Maxmum Log Sze, Retan Old Events, and Backup Log Automatcally When Full These settngs enable you to control how large the log fles wll grow and what happens when they reach ther maxmum. Ths s crtcal because logs need to be effcently handled by log collecton systems. A 2TB log fle wll be dffcult to manage. However, you also don t want logs to roll over too quckly f you mght lose some event data as a result. Be sure to consder dsk space, bandwdth, schedulng of event collecton, CPU performance, memory, etc. when applyng these settngs. Some thngs to consder relevant to event log confguraton From: http://technet.mcrosoft.com/en-us/lbrary/dd349798(ws.10).aspx 7 2011 NetVson
By default, when event logs fll to capacty, the computer overwrtes the oldest entres wth the most recent ones. To mtgate the rsk of loss of older data, you can confgure the computer to automatcally back up the log when t s full. If you sgnfcantly ncrease the number of objects to audt n your organzaton and f you enabled the Audt: Shut down system mmedately f unable to log securty audts settng, there s a rsk that the Securty log wll reach ts capacty and force the computer to shut down. Retanng old events ntroduces a greater rsk of both a DoS attack by fllng up the event log and an evdence obfuscaton method by preventng crtcal nformaton about an attack from beng logged due to lack of space. Users, both legtmate and llegtmate, who are attemptng to hde evdence of prohbted actvtes, could clear the event logs that could be used aganst them. NetVson collects event nformaton ndependently from the event logs,thereby elmnatng a number of rsks such as event clearng and rollover. Q U I Z? How many events are collected before your event logs roll over and begn deletng old events? Step 4 Confgure Event Management Soluton Ths step wll dffer for each soluton and we re not gong to attempt to dentfy every step for every soluton. In general, here are a few of the consderatons: Regster for approprate Events We dscussed Event IDs earler. Be sure all relevant events are confgured n the event management soluton. And, when possble, that unwanted events are fltered out. Event Response Ideally, you ll have complete control over event response based on Who, What, When, and Where wth the ablty to select whether the system wll generate alerts, remedaton tasks, open help desk tckets, or other responses. NetVson provdes ndustryleadng event selecton & flterng puttng you n full control over whch responses wll be generated for whch events. Event Correlaton Snce many actons generate multple log events, t s mportant n many solutons to confgure correlaton rules so that you don t get too many events reported or lose crtcal nformaton by not correlatng mportant events such as before and after values of a change. You must also accommodate for the lmted subset of object/attrbute changes and actons that are wrtten to the event log. 8 2011 NetVson
Fnal Thoughts Do I need an Event Management soluton at all? You, of course, have the opton to refran from mplementng any soluton to assst wth event montorng, but logs are lmted n sze and manageablty. If access to hstorcal event data or even recent actvty audt trals s mportant, you ll almost certanly need to centrally collect and manage events, makng t possble to report across numerous servers and allowng for centralzed control of event response. Mnmzng Event Nose (a real problem) to say the least! FROM: http://blogs.msdn.com/b/ercftz/archve/2008/09/04/mnmzng-drectory-servce-audt-event-nose.aspx http://blogs.msdn.com/b/ercftz/archve/2005/01/11/350848.aspx Object access audt s generated when the system access control lst (SACL) on the object matches the access that was performed on ALL of the followng condtons: 1. Object - the object that was accessed must have ether an explct or nherted SACL. The access performed s compared aganst the ACEs n that SACL. 2. Success or falure of actvty - every audt access control entry (ACE) n a SACL wll be ether of type AUDIT_SUCCESS or AUDIT_FAILURE. The access performed must match the access type of the ACE for the rest of the ACE to be consdered. 3. User account - the accessng user's token s compared aganst each ACE matchng the access type. If the user, or a group the user belongs to, matches the SID n the ACE, then an audt mght be generated. 4. Access - the access beng performed must match the audted accesses n the access mask n an otherwse matchng ACE. Audt only the objects that you care about. User accounts and groups already are well-audted wth "Account Management" audtng, so don't audt them wth DS access. Perhaps audt OUs, or other DS objects. Use the Object Type and attrbute type restrctons that you have n DS Access audtng. Also, n Wndows Server 2008, you can affect audtng on a per-object bass by adjustng the SearchFlags attrbute n the AD schema for the object. SACLs are more easly reversed so are probably a more acceptable method of controllng audt for most organzatons. Audt only the accesses that you care about. Specfcally, read accesses occur much more often (n my experence, a conservatve estmate s about a 100:1 rato) than wrte accesses. If you restrct your audtng to "wrte" type accesses (ncludng change, delete, change permssons, create, etc.) then you wll end up generatng far fewer events. Audtng for read access s very nosy. If you must audt for reads, consder audtng fewer objects, perhaps only audtng reads on the contaner object nstead of the objects n the contaner, or on one "nterestng" object n any gven contaner as a "canary". 9 2011 NetVson
How are Object Access Events Generated? Ths artcle descrbes the complexty of how object events are generated and the dfferences between results from dfferent applcatons: http://blogs.msdn.com/b/ercftz/archve/2006/10/26/ho w-are-object-access-events-generated.aspx Understandng the dfferences wll be an mportant part of evaluatng the event nformaton you collect. A L E R T! You may see dfferent event log event behavor for the same set of actons f a dfferent applcaton s beng used. Concluson At the end of the day, there s sgnfcant ntal and on-gong effort requred just to start generatng the rght events n your Wndows Event Log. You may fnd that multple events for a gven acton cause confuson when tryng to fgure out what actually happened. You have lmted data snce not all events show up n the logs, nablty to flter wthout extensve (typcally prohbtvely so) manual confguraton, nablty to respond based on what changed, who dd t, where somethng happened, etc. And there s a sgnfcant on-gong effort, educaton, and nfrastructure requrements to keep the logs accurate and complete over tme. Hopefully, f you go through all of that effort and mplement the rght event management soluton, you ll have a way to generate the reports you need wthout just spttng out the event log data n ts raw format, whch s clearly not optmzed for human consumpton. An Alternatve Approach Now that's an understatement! NetVson s approach to event management and response elmnates the need to worry about Wndows event logs. NetVson event collecton happens at the source, gettng better nformaton, more complete data, n a more relable and easer to manage approach. Ths advanced, patented event collecton, coupled wth ndustry leadng event flterng and event response makes NetVson the obvous soluton. But the best part s that the ownershp effort s near zero. And NetVson ntegrates wth SIEM/log management solutons so that you can ncorporate NetVson s clean, complete event nformaton nto your exstng enterprse soluton. Fnd out more: www.netvson.com Fnally, some good news!...musc to my ears 10 2011 NetVson