Windows Log Monitoring Best Practices for Security and Compliance

Windows Log Monitoring Best Practices for Security and Compliance

Table of Contents Introduction... 3 Overview... 4 Major Security Events and Policy Changes... 6 Major Security Events and Policy Changes Active Directory and Member Server... 6 Active Directory and Member Server Compliance Events of Interest... 8 Active Directory General Object Changes... 8 Active Directory and Local Server Group Member Additions... 9 Active Directory and Local Server Group Member Deletions... 11 Active Directory and Local s New or Enabled... 12 Active Directory and Local s Deleted or Disabled... 13 Active Directory Group Policy Change... 13 Active Directory Permission Changes... 15 Active Directory and Local Account Lockouts and Password Resets... 16 Active Directory and Local Server Other s, Groups and Computers Changes... 17 Authentication and Logons Compliance Events of Interest... 19 Domain Account Authentication... 19 Domain Account Authentication Failure Analysis... 20 Logons by Server Type... 21

Introduction This document, and the accompanying document, SecureWorks Audit Policy Configuration, is designed to provide you with greater insight into the Windows logs that need to be collected for security, as well as compliance purposes and how to properly configure your Windows system to log this information. This document is the result of extensive research into the generally accepted best practices for Windows log monitoring performed in conjunction with SecureWorks team of Audit Experts and recognized Windows expert Randy Smith, founder of the Monterey Technology Group and author of Ultimate Windows Security. The information contained throughout this document will provide you with event IDs and information necessary for optimum Windows security and compliance. In addition to this document, SecureWorks has also tuned our filters to capture the information outlined in this document and has created a suite of reports for you to use to easily view your Windows events. Reports designated as daily should be scheduled by your organization to be run daily for your Windows servers and be reviewed by a member of your team. Reports designated as ad-hoc should be run or scheduled to be run by your organization for periodic review by your team. The Portal also allows you to store the report and digitally sign it for audit purposes. Each event grouping below is mapped to one of the following SecureWorks reports, which can be accessed, ran and scheduled via the Monitoring section of the Report tab in the SecureWorks Client Portal: Major Security Events and Policy Changes Daily Active Directory and Member Server Compliance Events Daily Active Directory and Member Server Compliance Events Ad Hoc Authentication and Logons Compliance Events of Interest Ad Hoc

Overview Windows Event Group Event Codes SecureWorks Report Name Frequency of Review Major Security Events and Policy Changes Active Directory and Member Server 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622, 643 Major Security Events and Policy Changes Daily Daily Active Directory and Local Server General Object Changes 565, 566 Active Directory and Member Server Compliance Events - Daily Daily Active Directory and Local Server Group Member Additions 632,636,650,655,660,665 Active Directory and Member Server Compliance Events - Daily Daily Active Directory and Local Server Group Member Deletions 633,637,651,656,661,666 Active Directory and Member Server Compliance Events - Daily Daily Active Directory and Local s New or Enabled 624,642,626 Active Directory and Member Server Compliance Events - Daily Daily Active Directory and Local s Deleted or Disabled 629,630,642 Active Directory and Member Server Compliance Events - Daily Daily Active Directory Group Policy Change 565,566 Active Directory and Member Server Compliance Events - Daily Daily Active Directory and Local Server Permission Changes 565,566,560 Active Directory and Member Server Compliance Events - Daily Daily Active Directory and Local Account Lockouts and Password Resets Active Directory and Local Server Other s, Groups and Computers Changes 642, 644, 671, 627,628 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664, 638, 634, 662, 652, 657, 667, 668, 645,646, 647 Active Directory and Member Server Compliance Events of Interest Ad Hoc Active Directory and Member Server Compliance Events Ad Hoc Ad Hoc Ad Hoc Domain Account Authentication 672 Authentication and Logons Compliance Events of Interest Ad Hoc Ad Hoc

Windows Log Group Event Codes SecureWorks Report Name Frequency of Review Domain Account Authentication Failure Analysis 672, 675, 676, 681 Authentication and Logons Compliance Events of Interest Ad Hoc Ad Hoc Failed Logons by Server Type 529, 530, 531, 532, 533, 534, 535, 536, 537,539 Authentication and Logons Compliance Events of Interest Ad Hoc Ad Hoc

Major Security Events and Policy Changes Major Security Events and Policy Changes Active Directory and Member Server Category: Account Management, System Events, Privilege Use, Policy Change Role: Member Servers and Domain Controllers o Report Name: Major Security Events and Policy Changes Daily Computer Event\Chan ge Performed By Computer Eve nt ID Event\Change Performed By: 517 Security log cleared Client Name:\Cli ent 520 System time changed Previous Time:7:09:19 PM 8/5/2004 New Time:7:10:18 PM 8/5/2004 601 Attempt to install service Name: SNMPTRAP Success/Failure 608 Right Assigned Right: SeUndockPrivilege Assigned To: Domain\ 609 Right Removed Right: SeUndockPrivilege Removed From: Domain\ 610 New Trusted Domain Client Name:\Cli ent By: Name: \ Assigned By: Name: \ Assigned By: Name: \ Establishe d By:

Trust Type: Translation guidance: Field Value Display directio ns type 1 1 - Trusted (the domain where this event was logged accepts the identity of users of the new domain) 2 2 - Trusting ( (the new domain accepts the identity of users of the domain where this event was logged) 3 3-2-way (mutual trust) See: http://msdn.microsoft.com/library/default.asp?url=/libra ry/en-us/wmisdk/wmi/microsoft_domaintruststatus.asp And: http://msdn2.microsoft.com/enus/library/system.directoryservices.activedirectory.trus ttype.aspx Name: \ 611 Trusted Domain Removed 620 Trusted Domain Information Modified 612 Audit Policy Changed Server:Name\Domain Establishe d By: Name: \ Modified By: Name: \ n/a New Policy: SuccessFailure + +Logon/Logoff + +Object Access + +Privilege Use - -Account Management + +Policy Change + +System - -Detailed Tracking + +Directory Service Access + +Account Logon 617 Kerberos Policy Changed n/a

Change: --' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000 (none); 621 System Security Access Granted Account: Domain\ Access: SeRemoteInteractiveLogonRight 622 System Security Access Removed Account: Domain\ Access: SeRemoteInteractiveLogonRight 643 Domain Policy Changed n/a n/a Changed By: Name: \ Entries in this group indicate major changes to the security configuration of the indicated server or a high security event such as the security log being cleared. The Major Security Events and Policy Changes Daily report should be generated for each server administrator filtered on the servers under his/her care. Run daily for evidence of intrusions, misconfigurations or unauthorized changes and review with signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Verify that all entries correspond to legitimate actions by authorized administrators. This group contains Event IDs: 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622 and 643. Active Directory and Member Server Compliance Events of Interest Active Directory General Object Changes

Category: Directory Service Role: Domain Controllers (only DCs report 566 or 565) o Report Name: Active Directory and Member Server Compliance Events - Daily Type Object Type: o domaindns = Domain o organizationalunit = OU o grouppolicycontainer = GPO Operation Object Type If present in description Column contents Changed by Any WRITE_DAC Changed permissions organizationalunit, domaindns or site Delete Tree DELETE Write Property and gplist Write Property and gpoptions Deleted along with all child objects Deleted grouppolicycontainer Write Property and version modified [Caller ]\[Caller Name:] GPO options or links modified GPO options or links modified This group documents changes made to AD objects. Event Codes of Interest 565 and 566. Recommended Report Review and Response Run the Active Directory and Member Server Compliance Events-Daily report daily and as needed for ad hoc research/analysis. Reports should be reviewed with signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Active Directory and Local Server Group Member Additions Category: Account Management Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events - Daily

Group domain Group name Target Domain Target Account Name Type Security if Security Enabled in description or if event ID: 636, 632, 660 Distribution if Security Disabled in description or if event ID: 650, 655, 665 New Member Added by Member Name: Caller \Caller Name: If group s Type is security, the New Member now has access to any objects where Group is granted permissions and will receive email sent to Group. If Group s Type is distribution the New Member will receive email sent to Group. These logs document new members added to security and distribution groups in Active Directory and Local Servers. AD and Local Server groups are increasingly being used as the basis for controlling access to privileged information and transactions in databases and applications so AD and Local groups and user activity is usually significant even in the unlikely scenario that no significant information is stored on Windows file servers. Distribution groups are important to monitor since they are often used to deliver confidential email. The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Check for inappropriate or unauthorized group membership changes. There are 3 scopes of member groups. A group s scope limits where the group can be granted access and who the group can have as members. These events are collected from domain controllers. Scope Domain Local Global Universal Explanation As a Domain Local group, Group is limited to objects in the local domain. Membership in Group cannot result in access to objects in other domains. As a Global group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains. As a Universal group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains. Security Event ID 636 650 632 655 660 665 Distribution

Active Directory and Local Server Group Member Deletions Category: Account Management Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events - Daily Group domain Group name Target Domain Target Account Name Type Security event ID: 637, 633, 661 Distribution event ID: 651, 656, 666 Scope Domain Local, Global and Universal Member Member Name: Deleted by Caller \Caller Name: If group s Type is security, the Member no longer has access to any objects where Group is granted permissions and will no longer receive email sent to Group. If Group s Type is distribution the New Member will no longer receive email sent to Group. These logs document members removed from security and distribution groups in Active Directory and Local Servers. AD groups are increasingly being used as the basis for controlling access to privileged information and transactions in databases and applications so AD and Local server groups and user activity is usually significant even in the unlikely scenario that no significant information is stored on Windows file servers. Distribution groups are important to monitor since they are often used to email confidential email. The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Provides documentation that group membership was revoked in connection with job changes, etc. There are 3 scopes of groups. A group s scope limits where the group can be granted access and who the group can have as members. These events are collected from domain controllers. Scope Explanation Event ID Security Distribution Domain Local As a Domain Local group, Group is limited to objects in the local domain. Membership in Group cannot result in access to objects in other domains. 637 651 Global As a Global group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in 633 656

Universal access to objects in other domains. As a Universal group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains. 661 666 Active Directory and Local s New or Enabled Category: Account Management Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events - Daily Operation Account Performed by Criteria event ID 624 event ID 642 event ID 626 Operation New Enabled Caller \Caller Name: Account New Account \New Account Name: Target Domain\Target Account Name: This event group documents new AD and Local Member Server user accounts or users previously disabled that are now enabled. The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Verify new user accounts correspond to new hires and check for accounts of terminated employees that have been mistakenly enabled. Enabled user accounts except in connection with return from sabbatical should be fairly infrequent; investigate. This group is based on event ID 626 and 624 in Windows 2003; 642 and 624 in Windows 2000.

Active Directory and Local s Deleted or Disabled Category: Account Management Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events - Daily Operation Criteria Operation event ID 630 Deleted 642 where Account Disabled within description Disabled 629 Account Performed by Target Account Name:\Target Caller \Caller Name: This event group documents AD and Local Member Server user account deletions or accounts previously enabled that are now disabled. The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. This report provides documentation that account access was revoked in connection with terminations, etc. This group is based on event ID 629 and 630 in Windows 2003; 642 and 630 in Windows 2000. Active Directory Group Policy Change Category: Directory Service Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events - Daily

Type Name Operation Object Type: o domaindns = Domain o organizationalunit = OU o grouppolicycontainer = GPO o site = Site Case Object Name Operation 1 (Object Type: is organizationalunit or domaindns or site) and (Properties: includes gplist or gpoptions) and (Accesses: includes Write Property) 2 Object Type: is grouppolicycontainer and (Properties: includes version) and (Accesses: includes Write Property) 3 Object Type: is grouppolicycontainer and Accesses: includes WRITE_DAC 4 Object Type: is grouppolicycontainer And (Accesses: includes DELETE) 5 Object Type: is container and (Accesses: includes Create Child ) and Properties: includes grouppolicycontainer Object Name: Object Name: Object Name: Object Name: Object Name: Group Policy links or options changed GPO modified GPO permissions modified GPO deleted GPO created Changed by Caller \Caller Name: This event group documents all group policy related changes: New, Changed and Deleted GPOs Changes to the Group Policy properties tab of Sites, Domains and Organizational Units The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.

Check for inappropriate or unauthorized group policy changes. Mistaken modifications to group policy can impact thousands of users and computers. Change control and change audit trail are crucial to limiting group policy risk. Changes to group policy objects can also adversely reconfigure security settings or policies opening the organization to intrusion or system abuse. This group is based on event IDs 566 and 565. Active Directory Permission Changes Category: Directory Service Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events - Daily Note Domain Type Operation Name Changed by Enable auditing at root of domain for Everyone, All objects, Success, Change Permissions. This is already the default on Windows 2000 DCs but not on Windows 2003 DCs. Convert DC= components of Object Name: to DNS equivalent. DC=acme,DC=com becomes acme.com Object Type: domaindns = Domain organizationalunit = OU grouppolicycontainer = GPO otherwise use actual value Object Name Caller \Caller Name: This group documents changes to permissions on objects in Active Directory. Permission changes are usually the result of delegating administrative authority. Active Directory does not report the content of the changes only that the change occurred. The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Check for inappropriate delegation of authority. Delegation of control is important in AD in order to follow least privilege but could result in inappropriate authority being granted if not executed properly. Since

Active Directory does not report the content of the changes only that the change occurred you must review the ACLs of the affected objects. This group is based on event ID 560, 565 and 566. Active Directory and Local Account Lockouts and Password Resets Category: Account Management Role: Domain Controllers o Report Name: Active Directory and Member Server Compliance Events Ad Hoc Operation Operation OS Criteria Account Performed by Locked 2000 event ID 644 2003 Unlocked 2000 642 where unlocked within description Password Reset Target Account ID: 2003 671 2000 627 where Target different than Caller 2003 628 Caller \Caller Name: n/a for 644 This group documents AD and Local Member Server account lockouts, subsequent unlocks and password resets by an administrator or someone delegated that authority. Run the Active Directory and Member Server Compliance Events Ad Hoc report periodically and as needed. Verify password resets correspond to authentic calls to the help desk by user who s forgotten his password. Verify account unlock and password reset requests are properly authenticated by help desk. Having authority to reset passwords allows the holder to impersonate other users. Periodically auditing password resets provides a deterrent control. This group is based on event ID 642, 644, 671, 627 and 628.

Active Directory and Local Server Other s, Groups and Computers Changes Category: Account Management Role: Domain controllers. Recognize DCs where Target Name: does not equal Computer o Report Name: Active Directory and Member Server Compliance Events Ad Hoc Object Type Operation Column Definition Selection Criteria For user changes it s important to distinguish whether 624 is from a 2000 or 2003 computer. Since many 642s in 2003 are redundant because of other specific event IDs. To determine OS version: Windows 2000: Changed Attributes will not be present in description Windows 2003: Changed Attributes is present in description General change On Windows 2000 642 - First insertion string from description. Some account changes generate 642 with first insertion string empty. In such cases display Not specified On Windows 2003 MS removed the first insertion string and replaced with Changed Attributes. Display attribute name/value pairs for which there is a value For example, for the example event below you would display: Password Last Set: 8/1/2006 12:15:10 PM Some account changes generate 642 where no attributes are listed as changed. In such cases display Not specified Example event: Event Audit Event Source: Security Event Category: Account Management Event ID: 642 Date: 8/1/2006 Time: 12:15:10 PM : S3DGROUP\radmin Computer: A4 Description: Account Changed: Target Account Name: Event ID 642 To determine OS version: Windows 2000: Changed Attributes will not be present in description Windows 2003: Changed Attributes is present in description First check if 642 matches criteria for one of the other operations in this table. If so it s a specific change not a general change. Windows logs multiple 642s sometimes in relation to one operation from the point of view of the administrator. Windows logs multiple 642s in conjunction with new user accounts (624). Windows also logs 642s that are redundant because of event IDs that document specific actions such as password resets, enabling/disabling accounts, etc.

gthomas Target S3DGROUP Target Account ID: S3DGROUP\gthomas Caller Name: radmin Caller S3DGROUP Caller Logon ID: (0x0,0x34495) Privileges: - Changed Attributes: Sam Account Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: 8/1/2006 12:15:10 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - Account Control: - Parameters: - Sid History: - Logon Hours: - Renamed From: [Old Account Name: ] To: [New Account Name:] 685 Group Created Created 635, 631, 658, 648, 653, 663 Changed Changed Sam Account Name:- Sid History:- 641, 639, 659, 649, 654, 664 Deleted Deleted 638, 634, 662, 652, 657, 667 Group Type Changed Group Type Changed From: [Security/Distribution] To: [Local/Global/Universal] Security if Security Enabled in description Distribution if Security Disabled in description Computer Created Created 645 Changed See General Change column definition for 668 646

Other Information Domain Object Type: Performed by Deleted Deleted 647 [Target Account ] [Target Account ]\ [Target Account Name:] Use Object Type column in table above [Caller ]\[Caller Name:] n/a for Account Locked operations 644 This group documents all other changes to users, groups and computers including new and deleted objects. Sometimes Windows fails to report exactly what was changed which is reflected by Not specified. Run the Active Directory and Member Server Compliance Events Ad Hoc report periodically and as needed. Provide as needed to IT Audit to demonstrate compliance with account management procedures. This group is based on event ID 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664, 638, 634, 662, 652, 657, 667, 668, 645,646 and 647. Authentication and Logons Compliance Events of Interest Domain Account Authentication Category: Account Logon Role: Domain Controllers o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc Authentication Type Authentication Type: (success) 672 = Kerberos TGT, Account \ Name: Server Event 672: Computer.

This group documents all authentications to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the user s workstation must access the domain controller under the user s credentials to apply Group Policy\ Configuration. Run the Active Directory and Member Server Compliance Events Ad Hoc report periodically and as needed. This group is based on event ID 672. Domain Account Authentication Failure Analysis Category: Account Logon Type: Failure Role: Domain Controllers o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc Account Reason Domain Controller Workstation Authentication Protocol \ Name: See http://ultimatewindowssecurity.com/kerberrors.html for Kerberos errors See http://ultimatewindowssecurity.com/ntlmerrors.html for NTLM errors Computer name from event header Event 681: Workstation: or Worktation Name: Event 672, 675,676: Client Address: Event 681: NTLM Event 672, 675,676: Kerberos This group documents all authentication failures to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the user s workstation must access the domain controller under the user s credentials to apply Group Policy\ Configuration. Run the Active Directory and Member Server Compliance Events Ad Hoc report periodically and as needed.

This group is based on event ID 672, 675, 676 and 681. Logons by Server Type Category: Logon/Logoff Type: Failure Role: Servers o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc Logon Type Logon Type: %4 See http://ultimatewindowssecurity.com/logontypes.html for translation \ Name Name: %1 %2 Server Process ID Success/Failure Computer. Logon Process Logon ID (optional) EventType from header If failure, fill in failure reason based on event ID This group documents all logons to monitored servers. Run the Active Directory and Member Server Compliance Events Ad Hoc report periodically and as needed. This group is based on event ID 529 through 540, excluding 538.