Mnitr Imprtant Windws Security Events using EventTracker White Paper Publicatin Date: Mar 14, 2014 EventTracker 8815 Centre Park Drive Clumbia MD 21045 www.eventtracker.cm
EventTracker: Mnitr Imprtant Windws Security Events Abstract Mnitring the Windws security is critical because the Operating System cntinuusly mnitrs and lgs critical security, system and applicatin events in the Windws Security Lg. This guide will easily and efficiently help yu in cnfiguring the mst imprtant windws security events. Scpe The cnfiguratins detailed in this guide are cnsistent with EventTracker Enterprise versin 7.x and all flavrs f Windws perating system. Intended Audience EventTracker users wh are assigned the task t mnitr and manage events using EventTracker. The infrmatin cntained in this dcument represents the current view f PrismMicrsystems Inc. (Prism) n the issues discussed as f the date f publicatin. Because Prism Micrsystems must respnd t changing market cnditins, it shuld nt be interpreted t be a cmmitment n the part f Prism. Prism cannt guarantee the accuracy f any infrmatin presented after the date f publicatin. This dcument is fr infrmatinal purpses nly. Prism MAKES NOWARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT Cmplying with all applicable cpyright laws is the respnsibility f the user. Withut limiting the rights under cpyright, this paper may be freely distributed withut permissin frm Prism, as lng as its cntent is unaltered, nthing is added t the cntent and credit t Prism is prvided. Prism may have patents, patent applicatins, trademarks, cpyrights, r ther intellectual prperty rights cvering subject matter in this dcument. Except as expressly prvided in any written license agreement frm Prism Micrsystems, the furnishing f this dcument des nt give yu any license t these patents, trademarks, cpyrights, r ther intellectual prperty. The example cmpanies, rganizatins, prducts, peple and events depicted herein are fictitius. N assciatin with any real cmpany, rganizatin, prduct, persn r event is intended r shuld be inferred. 2010 Prism Micrsystems Inc. All rights reserved. The names f actual cmpanies and prducts mentined herein may be the trademarks f their respective wners. 1
EventTracker: Mnitr Imprtant Windws Security Events Table f Cntents Windws Security Challenges... 3 Hw t mnitr Windws Security?... 3 Critical Windws Security Events... 3 Audit integrity... 4 System security... 4 Admin authrity... 5 Lgn/authenticatin failures... 6 Certificate authrity... 6 Easy steps t quickly and efficiently mnitr windws security events using EventTracker... 8 Imprt windws security events knwledge pack int EventTracker... 8 Cnfigure Security Dashbard using imprted categry... 8 Execute Lg Search frm an imprted categry... 10 Schedule a reprt frm an imprted categry... 12 Benefit f SIEM Simplified Services... 13 Sample Analysis reprt... 14 2
EventTracker: Mnitr Imprtant Windws Security Events Windws Security Challenges Safeguarding windws is abslutely necessary t refrain against cyberpunks, fr detectin f netwrk utages and prtcl failures and t detect the failed prcesses, services and batch jbs. T practively trublesht windws in prductin envirnment and prevent data being breached. Windws security is crucial fr business prductivity as security breaches can be calamitus. T frbid the disruptin f Windws against malware and desist being targeted by hackers, security f Windws plays a prime rle s that end users can breathe a sigh f relief. In mst Windws envirnments audit lgs are underutilized. They are ften examined nly fr investigatin purpses and usually after an incident. Hwever Windws lgs, when prperly cnfigured and efficiently mnitred, have tremendus value. System lgging generates vast amunt f data frm varying surces. As a result, the prcess f cnslidating, inspecting and analyzing them may be tedius and inefficient. The challenges are cmpunded by inadequate cnfiguratin resulting in lgs being full, verwritten, incmplete and useless. Hw t mnitr Windws Security? Auditing fr security events n critical cmputer systems is an essential requirement f a sund security plicy. A Windws audit plicy defines which security events have success and/r failure actins audited and recrded in the Security lg. Critical Windws Security Events Sme f the critical windws security events are gruped and it has t be mnitred regularly t ensure that the perating system is intact and they are Audit integrity System security Admin authrity Lgn/authenticatin failures Certificate authrity 3
EventTracker: Mnitr Imprtant Windws Security Events Misc Audit integrity 1102 Audit lg was cleared - Event 1102 is lgged whenever the Security lg is cleared, Regardless f the status f the Audit System Events audit plicy. The Accunt Name and Dmain Name fields identify the user wh cleared the lg. 4719 Audit plicy changed - This cmputer's system level audit plicy was mdified - either via Lcal Security Plicy r Grup Plicy in Active Directry. Accrding t Micrsft, this event is always lgged when an audit plicy is disabled, regardless f the "Audit Plicy Change" sub-categry setting. This and several ther events can help identify when smene attempts t disable auditing t cver their tracks. System security 4739 Dmain plicy changed - This cmputer's Security Settings\Accunt Plicy r Accunt Lckut Plicy plicy was mdified, either via Lcal Security Plicy r Grup Plicy in Active Directry. There are few ther peratins that can generate this event, including: Raising the dmain functinal level Security ptin: "Netwrk security: Frce lgff when lgn hurs expire" 4704 User right assigned - This event dcuments a change t user right assignments n this cmputer including the right and user r grup that received the new right. Nte: "User rights" and "privileges" are synnymus terms used interchangeably in Windws. Rights, like mst ther security settings, are defined in grup plicy bjects and applied by the cmputer. Therefre this event will nrmally shw the Assigned By user as the system itself. T determine wh actually made the rights assignment change yu must search the dmain cntrllers' security lgs fr changes t grupplicycntainer bjects (lgged by Directry Service auditing). 4
EventTracker: Mnitr Imprtant Windws Security Events 4717 Lgn Right Granted - This event dcuments the grant f lgn rights such as "Access this cmputer frm the netwrk" r "Lgn as a service". 4697 New service installed - A new service was installed by the user indicated in the subject. Subject ften identifies the lcal system (SYSTEM) fr services installed as part f native Windws cmpnents and therefre yu can't determine wh actually initiated the installatin. 4616 System time changed - This event indicates the ld and new system time as well as wh did it as specified in the Subject: sectin. Prcess infrmatin shws the prgram that was used t change the time. Changing the time manually frm the taskbar uses rundll.exe as shwn in the example. It is rutine t see this event where subject is "LOCAL SERVICE", prcess name is "svchst.exe" and can be ignred. Admin authrity Any authenticatin event fr Administratr 4775 An accunt culd nt be mapped fr lgn. 4776 The dmain cntrller attempted t validate the credentials fr an accunt. Member servers and wrkstatins als lg this event fr lgn attempts with lcal SAM accunts. 4777 The dmain cntrller failed t validate the credentials fr an accunt Since 4776 is lgged fr bth success and failure, there is n need fr this event id. 4768 A Kerbers authenticatin ticket (TGT) was requested - This event is lgged n dmain cntrllers nly and bth success and failure instances f this event are lgged. 4771 Kerbers pre-authenticatin failed - This event is lgged n dmain cntrllers nly and nly failure instances f this event are lgged. 4772 A Kerbers authenticatin ticket request failed. New admin 4728, 4732, 4756 These events are Active Directry Grup membership changes which are lgged t the Security eventlg 5
EventTracker: Mnitr Imprtant Windws Security Events And details includes Admins r Administratrs Caveat: nested grups Caveat: passwrd reset / re-enablement n members f Lgn/authenticatin failures Failed lcal accunt lgn 4625 An accunt failed t lg n - This is a useful event because it dcuments each and every failed attempt t lgn t the lcal cmputer regardless f lgn type, lcatin f the user r type f accunt. Cmputer Name = Accunt Dmain Unusual dmain authenticatin failure 4768, 4771 0xC Wrkstatin restrictin r 0x12 Accunt disabled, expired, lcked ut, lgn hurs Certificate authrity 4870 Certificate Services revked a certificate - When an administratr revkes a certificate the certificate is mved t the Revked Certificates flder and this event is lgged. Reasn fr revcatin nted belw. 4882 The security permissins fr Certificate Services changed - This event dcuments a change t the access cntrl list f the Certificatin Authrity itself. 4885 The audit filter fr Certificate Services changed - Windws lgs this event whenever yu mdify the Auditing tab f the Prperties dialg f the CA in the Certificatin Authrity MMC snap-in. The Audit tab cntrls which CA related events are reprted t the security lg. 4888 Certificate Services denied a certificate request - This event is lgged if either: 6
EventTracker: Mnitr Imprtant Windws Security Events An administratr r ther certificate manager denies a pending request. This event 4888 is lgged in additin t 4868. It may even be lgged twice with 4868 in between. The Certificatin Authrity itself denies the request based n plicy. This event is nly lgged if "Issue and manage certificate requests" is enabled n the Audit tab f the CA's prperties in Certificate Services MMC snap-in and f curse if the Certificate Services audit subcategry is enabled with auditpl. 4890 The certificate manager settings fr Certificate Services changed - This event is lgged when yu mdify the settings in the Certificate Managers tab f the CA prperties dialg in Certificatin Authrity MMC snap-in. 4891 A cnfiguratin entry changed in Certificate Services - Windws lgs this event t dcument changes t Certificate Services registry entries many f which crrespnd t prperties in the CA Prperties dialg f Certificatin Authrity MMC snap-in. 4892 A prperty f Certificate Services changed 4899 A Certificate Services template was updated - Having tested fr this event by making changes t certificate templates I cnclude Windws fails t lg this event. 4900 Certificate Services template security was updated - Windws lgs this event when yu mdify the ACL n a certificate template. 7
EventTracker: Mnitr Imprtant Windws Security Events Easy steps t quickly and efficiently mnitr windws security events using EventTracker Dwnlad the Windws security events categry file and imprt it int EventTracker via EventTracker s Cntrl panel. Use this categry file t create reprts, lg search and als in security dashbard. The detail steps are given belw. Imprt windws security events knwledge pack int EventTracker 1 Launch EventTracker Cntrl Panel. 2 Duble click Imprt Exprt Utility, click the Imprt tab. 3 T imprt categry, click Categry ptin, and then click the brwse buttn. 4 Lcate the Windws Security.iscat file, and then click the Open buttn. 5 Click the Imprt buttn t imprt the categries. 6 T imprt alerts, click Alerts ptin, and then click the brwse buttn. 7 Lcate the Windws Security.isalt file and then click the Open buttn. 8 Click the Imprt buttn t imprt the alerts. Cnfigure Security Dashbard using imprted categry 1. Lgn t EventTracker Enterprise. 2. Select the Dashbard menu and then select Security. 3. T cnfigure Security Dashbard, select Security drp dwn, and then select Cnfigure. 8
EventTracker: Mnitr Imprtant Windws Security Events Figure 1 Cnfigure Dashlets windw displays. 4. Enter Title f the dashlet. 5. Select Categry tab and Search fr the categry Windws Security. 6. Select Systems icn and search fr the selected systems. 7. Click the Cnfigure buttn. 8. Select Security drp dwn, and then select Custmize. Available dashlets windw displays. Figure 2 9. Select Windws security ptin, and then click the Add buttn. The respective details display in Security dashlet. 9
EventTracker: Mnitr Imprtant Windws Security Events Figure 3 Execute Lg Search frm an imprted categry 1. Lgn t EventTracker Enterprise. 2. Select the Search menu. Lg Search windw displays. 3. In the right pane, expand All categries nde. 4. Scrll dwn and expand Windws nde. 5. Select Windws security and then select the G buttn. 10
EventTracker: Mnitr Imprtant Windws Security Events Figure 4 The resultant utput displays. 11
EventTracker: Mnitr Imprtant Windws Security Events Figure 5 Schedule a reprt frm an imprted categry 1 Lgn t EventTracker Enterprise. 2 Click the Reprts menu and then select Dashbard. 3 In the Reprts Dashbard pane, click the New buttn. EventTracker :: Reprts windw displays. 4 Select Operatins tab, and expand Windws grup. 5 Select the imprted categry Windws security, and then click the Scheduled buttn. Reprts Wizard displays. 6 Click the Next >> buttn. 12
EventTracker: Mnitr Imprtant Windws Security Events 7 Select the Grups/Systems/All Systems fr analysis, and then click the Next >> buttn. 8 Select the Schedule reprt and Mre ptins, and then click the Next >>buttn. 9 Enter Refine and Filter criteria, and then click the Next >>buttn. 10 Enter Title and descriptin fr the analysis, and then click the Next >>buttn. 11 Crsscheck Disk cst analysis details. 12 Cnfigure the Publishing ptins as required, and then click the Next >>buttn. 13 Click the Schedule buttn. EventTracker displays message bx. Benefit f SIEM Simplified Services SIEM Simplified is ur prfessinal services engagement t enhance the value f the EventTracker Enterprise and EventTracker Security Center prducts. Our experienced staff assumes respnsibility fr all SIEM related tasks including daily incident reviews, daily/weekly lg reviews, cnfiguratin assessments, incident investigatin supprt and audit supprt. We augment yur IT team, allwing yu t remain fcused n the unique requirements f yur enterprise while actively leveraging ur expertise. Our team will take the respnsibility f cnfiguring relevant reprts, alerts, lg search and in security dashbard and finally ntify custmers with the summary reprt. 13
EventTracker: Mnitr Imprtant Windws Security Events Sample Analysis reprt 14
EventTracker: Mnitr Imprtant Windws Security Events Detail Reprt 15
EventTracker: Mnitr Imprtant Windws Security Events 16
EventTracker: Mnitr Imprtant Windws Security Events 17