E Book Security Log
E Book Security Log
E Book Security Log
The Windows
Server 2003
Security Log
Revealed
By Security Expert
RANDY FRANKLIN SMITH
MTG Press
In loving memory of
Keo
the friend who made me a dog lover
Table of Contents
Chapter 1 Introduction ........................................................................................................ 2
Chapter 2 Audit Policies and Event Viewer ....................................................................... 4
Chapter 3 Understanding Authentication and Logon ....................................................... 16
Chapter 4 Account Logon Events ..................................................................................... 23
Chapter 5 Logon/Logoff Events ....................................................................................... 40
Chapter 6 Detailed Tracking............................................................................................. 47
Chapter 7 Object Access Events ....................................................................................... 52
Chapter 8 Account Management ...................................................................................... 63
Chapter 9 Directory Service Access Events ..................................................................... 68
Chapter 10 Privilege Use Events ...................................................................................... 80
Chapter 11 Policy Change Events..................................................................................... 85
Chapter 12 System Events ................................................................................................ 91
Chapter 13 Getting the Most from the Security Log ........................................................ 93
Chapter 1 Introduction
Chapter 1
Introduction
First, the Bad News
ou can glean a wealth of information from the Windows Security log, but
the mechanism isn't without problems. Each Windows computerincluding
domain controllers (DCs)has a discrete Security log. Each DC logs
security events according to the activity that it sees; this information doesn't
replicate to the other DCs in the domain. Windows has no native capability to
centrally collect, analyze, monitor, report, and archive the many Security logs
that exist throughout your network.
Another problem is that the log's event descriptions and codes are cryptic and
poorly documented by Microsoft. If that werent bad enough, Microsoft
eliminates, merges, and changes the meaning of event IDs from one version of
Windows to the next. In addition, the order of strings in a given events
description sometimes changes between Windows versions. (Ill go into more
detail about description strings later.) These changes can really throw a wrench
in the works when you upgrade one or more systems after having set up reports
or rules based on event ID or the position of a string. In this book (as well as in
my free Security Log Encyclopedia at
http://www.ultimatewindowssecurity.com/encyclopedia.html), I endeavor to
document such changes.
This Book
In Chapter 2, Ill introduce you to the Windows audit policy (including the
relationship between audit polices and audit categories), the Microsoft
Management Console (MMC) Event Viewer console, and the format of security
events. Even if you're an experienced Windows Server administrator, I
recommend at least scanning this chapter. Ive included a few valuable nuggets
that might well be new to you.
Chapter 3 introduces you to the concepts of Windows authentication and logon
(which serves as the foundation for subsequent chapters), then delves into the
closely related Account Logon and Logon/Logoff audit categories. Chapter 4
discusses how Windows logs authentication activity by using Account Logon
events, and Chapter 5 deals with logon events in the Logon/Logoff category.
In Chapter 6, we examine the Detailed Tracking category, and I show you how
to track programs that users execute. In Chapter 7, youll find out how to
monitor file-system activity and access attempts on other types of objects by
using the Object Access category. Chapter 8 shows you how to audit changes to
users, groups, and computer accounts by tracking Account Management events,
and Chapter 9 reveals how to use Directory Access events to track changes to
Active Directory (AD) objects such as organizational units (OUs) and Group Policy
objects (GPOs). Chapters 10, 11, and 12 deal with the Privilege Use, Policy
Change, and System Event categories, respectively.
Chapter 2
Audit Policies and Event Viewer
An event in the Windows Security log is either type Success or type Failure.
When you enable an audit policy you have the choice of enabling it for success
events, failure events, or both, depending on the policy. All nine audit policies
generate success events but only some of the policies generate failure events.
Dont fall for the recommendation to enable failure events only for each
category. A common misconception is that a failure-only audit policy will alert
you to all suspicious events. In reality, many of the most important events in the
Security log are success events such as changes to critical user accounts and
groups, account lockouts, and changes to security settings. To view a systems
audit policy settings, you can open the Local Security Policy console on the
computer and maneuver to Security Settings\Local Policies\Audit Policy, as Figure
2-1.
When you open one of the audit policies, you may or may not be able to modify
it, depending on whether the policy has been defined in a GPO that has been
applied to the local system. If the computer is a member of an AD domain, the
computer automatically applies appropriate GPOs from the domain. Any policy
defined in a GPO overrides policies defined in the systems local policy object and
becomes the effective setting.
Windows Server 2003 and Windows XP always display the effective settings
when in the Local Security Settings dialog box. (If you can modify the setting,
the policy isnt defined in any applicable GPOs defined in AD.) Windows 2000's
Local Security Policy console puts the systems local setting from effective setting
in separate columns.
I recommend that you use the Local Security Policy console only for viewing a
systems audit policynot for configuring it. As with all security settings, the best
practice is to use Group Policy to centrally manage your audit policy.
Versions earlier than Windows 2003 disable all nine audit policies by default.
Windows 2003 enables a few categories by default but the options selected
make no sense from a security standpoint. Use Group Policy to push out the
audit policy you want rather than relying on default settings.
Lets drill down just a bit into each of the audit policies.
domain user account, regardless of where the attempt originates. If you enable
logon events.
Event Viewer
The preceding 9 audit policies allow you to fire up the Windows auditing
function. Once Windows starts sending events to the Security log you need a
way to view them. The only built-in tool for accessing the Security log is the
MMC Event Viewer snap-in, which Figure 2-3shows. By default, Event Viewer
displays the local computers event logs, but you can easily use the console to
view the logs of other computers on the network. To view another computer's
logs, right-click the root in the details pane and select Connect to another
computer. You will need to have the manage auditing and security log and
access this computer from the network user rights on the target system.
Event Viewer shows only basic information about each event. You usually need
to open an events Properties, as Figure 2-4 shows, to see the whole story. Each
event has a number of standard fields (I call them header fields) and a
description field.
The header fields tell you the event ID, the date and time the event occurred,
whether the event is a Success or Failure, and the events source and category.
All events in the Security log list the source as Security, so the Source field is
pretty useless. Security events fall into nine categories, which correspond to the
nine audit policies, as Figure 2-5 shows. The Category field specifies the category
into which the event falls. The User field isn't usually of much value because so
many events simply list SYSTEM as the user. This is especially true of events in
the Logon/Logoff and Account Logon categories.
Audit Policies
Account Logon
Account Management
Logon/Logoff
Object Access
Policy Change
Privilege Use
Process Tracking
System Events
Youll find the real details about an event in the Description field. When you view
an events description you are actually seeing two types of information that have
been merged. Each event ID has a static description that contains defined
placeholders into which dynamic strings of information connected with a
particular instance of the event aremerged. The easiest way to explain the static
and dynamic elements of an event description is with an example. Figure 2-6
illustrates the merger of static and dynamic information for an instance of event
ID 529.
10
Static
Description
Dynamic Strings
Merged Description
Logon Failure
Administrator
Event Type:
Failure Audit
Reason: Unknown
user name or bad
password
STUDENT01
Event Source:
Security
Event Category:
Logon/Logoff
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication
Package: %5
Workstation Name:
%6
3
NtlmSsp
MICROSOFT_
AUTHENTICATION_
PACKAGE_V1_0
STUDENT01
10/31/2005
Time:
2:51:58 PM
User:
NT AUTHORITY\SYSTEM
Computer:
CALADAN
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: STUDENT01
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENT
Workstation Name: STUDENT01
Its important that you understand how event descriptions work because this is
where the important details about the event reside. In the case of event ID 529,
you need to look at string 1 to determine the name of the user who failed to log
on. String 3 tells you the type of logon that was attempted (a network logon in
this example). These dynamic strings are also important when you have a
Security logmanagement solution or are trying to analyze the log by using a
utility such as Microsoft LogParser. Many of the typical alerts that you can define
by using Security logmanagement solutions require criteria based in part on one
or more strings from an event's description. In most cases, filtering based on
event ID alone isn't sufficient. When designing a report based on the Security
log, youll often find that you need to parse one of the report columns from a
string in the events description. If you are shopping for a Security log
management product, make sure it provides the flexibility to create alert criteria
and reports that are based on specific string numbers within the description.
Event Viewer provides basic filtering and search capabilities. To filter the
displayed events, right-click Security in the details pane, select View, then select
Filter to open the dialog box that Figure 2-7 shows. In this example, Ive selected
Security as the event source and Account Management as the category. (You
must specify the source before you can select a category.) Ive also filtered out
Success events. If your logs are very large and filter updates are taking a long
11
The only other useful analysis feature in Event Viewer is the Find option. Rightclick Security, select View, then select Find. Figure 2-8 shows a search for
instances of event ID 590 (which identifies executed programs) that contain
excel in the description. These Find criteria will locate the next occurrence of
Microsoft Excel being started. Unfortunately, you cant specify precise string
numbers in the Find criteria. You can look only for the occurrence of a sequence
of characters. Youll find the same limitation in many Security logmanagement
solutions. For instance, finding all occurrences of event ID 529 with a logon type
of 2 can be problematic unless you search for Logon Type: 2.
12
Aside from using Event Viewer to view security events, you use it to configure
the maximum size of the Security log. Right-click Security in the details pane,
then select Properties to open the log's Properties dialog box, which Figure 2-9
shows. Windows will not grow the log beyond the size you specify. I recommend
that you set the Maximum log size to no larger than 199 megabytes; 200MB
seems to be the point at which Windows gets a bit flakey in terms of stability
and performance.
No matter what maximum size you configure, the log will eventually reach it. You
can configure Windows to do one of three things at that point. I recommend that
you choose the Do not overwrite events (clear the log manually) option because
if you do, Windows will just stop logging events when the log reaches its
maximum size. (You can actually use the CrashOnAuditFail option to configure
Windows to crash if this happens, but I dont recommend it for most commercial
scenarios. See http://support.microsoft.com/kb/823659 for more details on
CrashOnAuditFail.) You run a similar risk by using the Overwrite events older
than X days option. If events pour in so fast that the log reaches maximum size
before any events expire, Windows stops logging events until some do expire.
That leaves the Overwrite events as needed option, which Iselect for nearly
every project.
13
You can use Event Viewer to dump the Security log to a file, either in the process
of clearing the log or independently. When you right-click Security and select
Save As, you have the option to choose the format in which to save the log. If
you specify event file (EVT) format, Event Viewer saves a copy of the log in the
same EVT format that the live log uses. You can also specify comma-separate
value (CSV) or tab-delimited (TXT) format. If you use the EVT format, youll need
to use a tool that supports EVT files, such as LogParser. You can also use Event
Viewer to view logs saved in EVT format.
Note that when you save the Security log, Windows requires you to save it to a
local volume of the server. You can subsequently copy the file elsewhere on the
network, but the dump API that Event Viewer uses can save the log only to a
14
15
Chapter 3
Understanding Authentication and Logon
ou might have noticed that Windows 2000 and later has two audit policies
that mention logon events: Audit logon events and Audit account logon
events. (NT has only Audit logon events.) By itself, Audit logon events has
limited value because of the way that Windows handles logon sessions. When
you log on to a computer by using a domain account, you might expect the
event to be logged on the DC. In reality, the logon occurs on the workstation or
server you are accessing, and therefore the event is logged in that computers
Security logif Audit logon events is enabled on that system.
Not having DCs logging authentication activity made it impossible to get a
complete audit trail of domain-user logon activity. You would have had to collect
the Security logs from every workstation and server on your network! Therefore,
Microsoft added the Audit account logon events policy to Windows 2000. Leave it
up to Microsoft to add an important new feature and give it a confusing name.
Audit account logon events would be better named Audit authentication events.
In Windows, authentication and logon are related but ultimately separate
activities that can, and often do, take place on separate systems. To effectively
use these two audit policies, you need to have a complete understanding of how
the authentication and the logon processes work in Windows. Another issue that
complicates things is the difference between local and domain accounts and how
they affect the audit process. In this chapter well cover both issues in detail
before looking at Audit logon events and Audit account logon events in
subsequent chapters.
16
Logon Types
Windows supports five types of logon sessions. Logon types describe the ways in
which users can log on to a system, such as through the systems local console
or through a remote desktop session. You can use local or domain accounts with
all five logon types. Each logon type has a corresponding logon right which the
user must possess to initiate a logon of that type. (To view or modify rights
assignments open Local Security Policy\Security Settings\Local Policies\User
Rights Assignment). Figure 3-2 lists the five logon types and their corresponding
logon rights. The type of user account and logon greatly affect which computer's
Security log receives a logon event and which event IDs are logged.
17
Example
Logon Right
Interactive: Used
to log on at the
local console
Logon locally
Network: Used to
access a Windows
resource (e.g.,
shared folder) from
a system on the
network
Access this
computer
from the
network
Remote
Interactive: Used
to log on to a
system via Remote
Desktop, Terminal
Services, or Remote
Assistance
Allow logon
through
Terminal
Services
Logon as a
batch job
18
Logon Type
Example
Logon Right
Service: Used to
run a service as a
specified account
Logon as a
service
Domain
Local
SAM
Figure 3-3 The Windows Logon dialog
19
20
Logon/logoff
events logged
Account Logon
events logged
Logon/logoff
events logged
Figure 3-6 shows a user logging on to the same two computers by using local
accounts. Each computer logs both categories of events; nothing is logged on
the DC.
Logon/logoff
& Account Logon
events logged
Interactive
logon
SAM
AD
Domain Controller
Logon/logoff
& Account Logon
events logged
SAM
File Server
As you can see, Audit account logon events is primarily a DC audit policy, but its
also useful on member servers, for identifying attacks against local accounts.
Logon attempts that use local SAM accounts should be fairly uncommon if you
are following best practice and using domain accounts as much as possible.
You might wonder what the benefit of Audit logon events is compared to Audit
account logon events. As I'll explain in a future chapter, you can use Audit logon
events to link process tracking and object access events to logon sessions. Audit
logon events also generates more granular information about the type of logon
as well as the reason for failed logons. And Audit logon events attempts to
21
22
Chapter 4
Account Logon Events
23
1
You can strengthen NTLM against sniff-and-crack attacks by implementing NTLMv2. See my article Access Denied:
Implementing NTLMv2 on Win2K, NT, and Win9x machines at
http://www.windowsitpro.com/Article/ArticleID/23068/23068.html for more information.
24
DC
Authentication request
Challenge
DC generates string
of random characters
as a challenge
Encrypts original
challenge with hash
from SAM
Candidate
response
SAM
Respons
e
Compare responses
User is authentic
if responses match
Figure 4-1 How NTLM works
As you can see, NTLM never sends the password or even the hash across the
network. However, attackers who can capture the challenge/response packets
might be able to crack the information back to the original password because of
weaknesses associated with NTLMs backward compatibility support with ancient
LanManager technology.2
NTLM Events
Windows 2000 logs just two event IDs680 and 681for all types of NTLM
authentication activity. A successful NTLM authentication yields event ID 680; a
failure produces event ID 681. (Windows 2003 merges these two events into
event ID 680, as Figure 4-2 shows.)
25
An NTLM event description's Logon account field lists the name of the user
account that attempted the authentication. The Workstation field provides the
name reported by the computer on which the user is present. In the case of nonWindows systems (e.g., Apple computers), the Workstation field might contain a
domain name instead of workstation name.
To determine why an authentication attempt failed, look at the description's
Error Code field. Figure 4-3 lists the NTLM error codes. As you can see, NTLM
provides very specific error codes. You might be surprised when you compare
these codes to Kerberos failure, which are far less specific because they reflect
the Request for Comments (RFC) 1510 Kerberos standard.
26
Error Code
Error Description
Comments
Decimal
Hexadecimal
3221225572
C0000064
3221225578
C000006A
3221226036
C0000234
3221225586
C0000072
Account is currently
disabled
3221225583
C000006F
3221225584
C0000070
3221225875
C0000193
Account expiration
3221225585
C0000071
Expired password
3221226020
C0000224
User is required to
change password at next
logon
27
Driv
e
LM tion
NT
t ic a
hen
aut
t
ues 0)
r e q ID 6 8
ent
(Ev
ma
ppin
g
N et
wor
k lo
gon
Server A
Interactive
logon
NTLM authentication
request
(Event ID 680)
Both occurrences
of Event 680 will
show workstation
name. No way to
identify server
AD
Domain Controller
Drive mapping
Network logon
n
tio
it ca
en
)
th st 80
au que 6
D
LM re nt I
e
NT
v
(E
Server B
28
Event
Type
Description
Success
ID
680
Failure
681
Failure
On DCs, NTLM authentication events give you a record of all logon attempts that
used domain accounts and that were serviced by the NTLM authentication
protocol. You will also see NTLM events on member servers and workstations.
When someone attempts to use a local SAM account to log on to a Windows
computer, the authentication is always handled by NTLM. Therefore, successful
event ID 680 instances on a workstation or member server is a clear indicator
that someone, some service, or some scheduled task successfully logged on by
using a local account. You can find out the type of logon from the related
Logon/Logoff event, which well consider in the next chapter. When you see a
failed instance of event ID 680 or event ID 681 on a workstation or member
server, you know that someone, some service, or some scheduled task
attempted but failed to logon by using a local account. If your environment
concentrates on using domain accounts and avoiding the use of local accounts,
enabling the Account Logon category on workstations and member servers is an
easy way to identify the improper use of local accounts.
While tracking NTLM authentication is important, dont forget about Kerberos
authentication, which will likely be the bulk of authentication activity in your DC
Security logs.
Kerberos Basics
Kerberos is the default authentication protocol for Windows 2000 and later
computers in an AD domain. To understand Kerberos events, you'll find it helpful
to understand the basic functioning of the Kerberos protocol. Kerberos uses the
concept of tickets. A ticket is a small amount of encrypted, session-specific data
issued by the DC. When a client needs to access a server on the network, the
client first obtains a ticket from the server's DC. The ticket and other data
supplied by the client vouch for the clients identity and provide a way for the
client to authenticate the server as well. This means that Kerberos provides
mutual authentication of both client and server. Using timestamps and other
techniques, Kerberos protects tickets from cracking or replay attacks by
eavesdroppers on the network. First, let me explain how the overall ticket
process works, then Ill walk you through a users actions and how they relate to
Kerberos events.
29
30
After obtaining a ticket granting ticket (TGT), the workstation obtains a service
ticket from the DC. Windows reports a successful attempt to do so as event ID
673, Service Ticket Granted. The Service Name description field displays krbtgt.
31
To recap, when Fred logs on at his workstation for the first time that day, the DC
that handles the logon will log event ID 672, closely followed by three instances
of event ID 673. One instance lists krbtgt as the service and can be ignored.
Another instance lists the DC as the service, and the third instance identifies
Freds workstation name, as illustrated in Figure 4-9.
32
Additional event ID 673 instances are logged as Fred accesses other servers, as
illustrated in Figure 4-10.3
4. Service ticket to
file server obtained
(Event ID 673)
AD
Domain Controller
File Server
I've shown you the event that Windows logs when a user enters a bad password
(event ID 675 with failure code 24), but what about all the other reasons a logon
can fail, such as an expired password or disabled account? Windows 2000
catches all of these logon failures after pre-authentication and logs event ID 676,
Authentication Ticket Request Failed. Again, you need to look at the failure code
to determine the problem. The most common Kerberos failure codes are listed in
3
Microsoft Knowledge Base article 217098, Basic Overview of Kerberos User Authentication Protocol in
Windows 2000 is a good reference for how Windows implements Kerberos.
33
Description Fields
Windows is not very consistent with the description fields you find in Kerberos
events. Kerberos events always identify the name and domain attempting
authentication, but the information is formatted several different ways,
depending on the description fields. Events with a User name field generally use
the accounts pre-Windows 2000 logon name. User domain and Supplied Realm
Name can log either the domains pre-Windows 2000 name (e.g., ACME) or its
DNS name (e.g., acme.com). User ID uses the pre-Windows 2000 format of
domain\username (e.g., ACME\JSMITH).
The Service name field found in many Kerberos event descriptions is quite
unpredictable as well. You might find service names in a variety of formats,
including computername$, krbtgt, and krbtgt/domain DNS name or event
34
HOST/IP address. Events that use the Service ID field generally use the format
domain/computername$.
The Client Address field is valuable because you can use it to determine the
source IP address for authentication requests. Ive used this field for a variety of
purposes, including tracing logon attacks back to their source on the Internet.
Other fields that dont appear to have much (if any) value are Ticket Options,
Ticket Encryption Type, and Pre-Authentication Type. These fields always seem
list the same undocumented values.
Type
Description
ID
675
Failure
Pre-authentication Failed
672
Success
676
Failure
673
Success
677
Failure
674
Success
35
Type
Description
ID
675
Failure
Pre-authentication failed
672
Success
Failure
676
Failure
673
Success
Failure
677
Failure
674
Success
As you can see, you can use Windows Kerberos events, as tracked in event ID
672 and event ID 673,to identify a users initial logon at the workstation and
then track each server the user subsequently accesses. You can use event ID
675 and event ID 676 (or event ID 676 and failed event ID 672 on a Windows
2003 DC) to track failed authentication events.
Keep in mind that authentication events logged on DCs (whether Kerberos or
NTLM) dont include logoff events. DCs perform only authentication services.
Each workstation and server keeps track of who remains logged on. To track
logoff events, you must analyze the local Security log of the desired workstation
or server, looking for Logon/Logoff events.
36
Failure code
Decimal
Hex-
Kerberos RFC
Description
Comments
adecimal
0x1
0x2
0x3
0x4
0x5
0x6
0x7
0x8
0x9
10
0xA
11
0xB
12
0xC
13
0xD
14
0xE
15
0xF
37
Hex-
Kerberos RFC
Description
Comments
adecimal
16
0x10
17
0x11
18
0x12
19
0x13
20
0x14
21
0x15
22
0x16
23
0x17
24
0x18
Pre-authentication
information was invalid
25
0x19
Additional pre-authentication
required*
31
0x1F
32
0x20
Ticket expired
33
0x21
33
0x21
34
0x22
Request is a replay
35
0x23
36
0x24
37
0x25
38
Failure code
Decimal
Hex-
Kerberos RFC
Description
Comments
adecimal
38
0x26
IP address change?
39
0x27
40
0x28
41
0x29
42
0x2A
44
0x2C
45
0x2D
46
0x2E
47
0x2F
48
0x30
Alternative authentication
method required*
49
0x31
50
0x32
Inappropriate type of
checksum in message
60
0x3C
61
0x3D
39
Chapter 5
Logon/Logoff Events
Type
Description
528
Success
Successful Logon
540
Success
530
Success
User Logoff
ID
40
Figure 5-2 demonstrates the event IDs recorded when a user initially logs on
interactively to a workstation and accesses a shared folder on a file server. The
events are the same whether the user logs on with a local account or a domain
account.
Drive mapping
Network logon
How do you link a successful logon event to its corresponding logoff event? You
use the Logon ID description field. The logon ID is a unique number (at least Ive
never seen a duplicate logon ID occur between system restarts) that identifies a
particular logon session. By looking for a subsequent instance of event ID 538
that has the same logon ID as an instance of event ID 528 or event ID 540, you
can theoretically show when a user logged on and when he or she logged off.
However, Windows doesnt log event ID 538 in the way youd expect, especially
for network logons.
Lets discuss interactive logons first. When Bob logs on to his workstation,
Windows logs event ID 528 with logon type 2 and the logon ID for the logon
session. When the Bob logs off, Windows logs event ID 538 with the same logon
ID. But what if the system crashes or is unceremoniously powered down before
Bob logs off? When Windows restarts, it might reconstruct the fact that Bob was
logged on and record an instance of event ID 538. Taken literally, the event log
wont make sense because youll see a system restart followed by a logoff.
41
42
Logon Process
Explanation
Winlogon, MSGina
KSecDD
DCOMSCM
CHAP
Used by RunAs
Schannel
RASMAN
Used by RRAS
Wdigest
IAS
43
Explanation
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
or NTLM
NT LanManager
Wdigest
Kerberos
Kerberos
Negotiate
Type
Description
529
Failure
530
Failure
ID
Failure
532
Failure
44
533
Failure
Failure
Logon Failure: The user has not been granted the requested logon type at
this machine (see Figure 3-2)
535
Failure
536
Failure
537
Failure
539
Failure
Figure 5-5
45
Type
Description
682
Success
683
Success
ID
Bottom Line
Logon/Logoff events are useful in auditing all attempts to gain entry to a system,
no matter the type of account or type of logon used. But you must monitor the
Security log of each computer on which you need to perform such auditing. In
contrast, you can use Account Logon events to track domain-account
authentication fairly centrally, monitoring only DC Security logs. However,
monitoring Account Logon events on DCs doesnt alert you to attempts to enter
computers by using local SAM accounts. To catch those attempts, you must
monitor the local Security log of workstations and member servers for either
Account Logon NTLM events (which report only attempts to logon with a local
account and don't report the source IP address) or Logon/Logoff events (which
report both local-account and domain-account logon attempts and source IP
address).
46
Chapter 6
Detailed Tracking
ith the Detailed Tracking category, Windows gives you the ability to
track programs executed on the system and to link those process
events to logon sessions reported by Logon/Logoff events (which I
discuss in Chapter 5) and to file access events generated by the Object Access
category (which I discuss in Chapter 7). For instance, you can use Detailed
Tracking events to determine that Joe opened Excel. By linking Detailed Tracking
events to Logon/Logoff events, you can further show that Joe opened Excel
during a remote desktop logon; by linking Detailed Tracking events to Object
Access events, you can document that Joe used Excel to open and modify
c:\files\payroll.xls. Detailed Tracking also provides event IDs for monitoring the
installation and removal of services and the maintenance of scheduled tasks.
Process Tracking
When a system process or a user opens an executable, Windows creates a
process in which that executable runs and logs event ID 592, which identifies the
executable and the account that started the process. When the process
terminates, Windows logs event ID 593, as Figure 6-1 and Figure 6-2 show.
Event
Type
Description
592
Success
593
Success
ID
l
ce
Ex
3)
s
59
se
lo
ID
C
nt
ve
(E
Works with
spreadsheet
O
pe
ns
(E
ve
Ex
nt
ce
ID
l
59
2)
47
Event 592
New Process ID
matches
Event 592
Creator Process ID
Event ID 593 also lists the Process ID field in the description, so you can link an
instance of that event to the corresponding instance of event ID 592 and thus
determine not just when a program started but when it stopped as well. Youll
also find process ID in many other security events, giving you the ability to
determine the program that generated the event.
To determine the logon session during which a process started, look at the
Logon ID description field in event ID 592, then find the preceding instance of
event ID 528 or event ID 540 that has the same logon ID. Check the Logon Type
and Logon Process fields to determine whether the process was started during
an interactive or remote desktop session or some other type of logon session, as
illustrated in Figure 6-4.
48
Interactive logon
Same Logon ID
ce
Ex
Ev
en
t
59
ns
O
pe
Works with
spreadsheet
l
ce
Ex
s
93
se
lo
t5
C
en
Ev
Event 528
`
Type
Description
601
Success
Failure
602
Success
ID
Windows 2003 logs event ID 601 when a new service is installed. Although this
event might be useful in finding new services that are being installed, it doesnt
inform you about other software installations (e.g., user applications). Nor does
this event help you to detect Trojan horses or backdoor programs because
malware seldom installs as a service. The Service Name description field
provides you with the short system name of the service. (You can use the sc
query command to get a cross-reference of service names and their morefamiliar display names.) The Service File Name field provides the full path name
of the executable that hosts the service. Keep in mind that one executable can
host multiple services.
49
Name
0x2
SERVICE_FILE_SYSTEM_DRIVER
0x4
SERVICE_ADAPTER
0x8
SERVICE_RECOGNIZER_DRIVER
0xB
SERVICE_DRIVER
0x10
SERVICE_WIN32_OWN_PROCESS
0x20
SERVICE_WIN32_SHARE_PROCESS
0x30
SERVICE_WIN32
0x100
SERVICE_INTERACTIVE_PROCESS
0x110
SERVICE_INTERACTIVE_OWN_PROCESS
0x120
SERVICE_INTERACTIVE_SHARE_PROCESS
Name
Display type in
Services MMC snapin
0x1
SYSTEM_START
n/a
0x2
AUTO_START
Automatic
0x3
DEMAND_START
Manual
0x4
DISABLED
Disabled
Event ID 601's Service Account field specifies the account under which the
service is configured to run. Other description fields identify the account,
domain, and logon ID of the user who installed the service.
The other new Detailed Tracking event is event ID 602, which provides
information about changes to scheduled tasks. Windows 2003 logs event ID 602
when a scheduled task is created or an existing task is changed, but the
description always includes the field Scheduled Task created. Event ID 602s
50
description fields identify the name of the task (in the File Name field) and the
command that the task executed ( in the Command field). The Triggers and
Time fields document the schedule of the service, and the Target User field
specifies the domain and user under which the task will run. Other description
fields identify the account, domain, and logon ID of the user who created or
modified the task.
The Detailed Tracking category logs three other events that possess little if any
value for typical monitoring scenarios. Figure 6-8 lists these events.
Event
Type
Description
594
Success
595
Success
600
Success
ID
As you can see, the primary importance of the Detailed Tracking category is its
logging of event ID 592 and event ID 593, which provide a complete audit trail
of all Windows programs executed on the monitored system. Detailed Tracking
also provides a way to monitor changes to scheduled tasks and installation of
services. Detailed Tracking does not report specific events for programs that are
not Windows executables. For instance, if you execute a VBScript, youve simply
executed cscript.exe or wscript.exe as far as Windows is concerned, and thats all
event ID 592 will tell you.
To track access to objcts such as files and folders, you need to use Object Access
events. You can also tie events from the Logon/Logoff, Detailed Tracking, and
Object Access categories together for more-sophisticated monitoring.
51
Chapter 7
Object Access Events
ou can use the Object Access Security log category to audit any and all
attempts to access files and other Windows objects. The only auditable
objects not covered by this category are AD objects, which you can track
by using the Directory Service category. In addition to tracking files, you can
track success and failure access attempts on folders, services, registry keys, and
printer objects. The way in which you define Object Access audit policy and the
format of information recorded in the Security log for this category are closely
related to the structure of the ACLs that all objects use to define who can access
the object and how.
When you enable the Audit object access events policy for a given computer,
Windows doesnt immediately begin auditing all access events for all objects
because the system would immediately grind to a halt. Activating object access
auditing is a two-step procedure. First, enable the Audit object access events
policy on the system that contains the objects you want to monitor. Second,
select specific objects and define the types of access you want to monitor. you
make these selections in the objects audit settings, which youll find on the
object's Advanced Security Settings dialog box. For instance, Figure 7-1 displays
the audit settings for a folder named Accounting Data.
52
As you can see in this figure, you can limit auditing according to the user or
group accessing the object (the Name column), the permissions requested (the
Access column), and whether the access attempt was successful or failed (the
Type column).
Windows evaluates an objects audit policy much as it evaluates the object's
permissions. When a user attempts to access an object (e.g., when Fred tries to
open budget.xls), Windows must determine whether to report the attempt to the
Security log. Windows analyzes all the audit entries that apply to the user who is
attempting to access the object. If the objects audit policy contains entries for
several groups, and the user attempting to access the object belongs to two or
more of those groups, Windows will log the event if any of the applicable entries
match (i.e., if the user requested one or more of the permissions flagged for
auditing and the outcome of the attempt matches the success or failure criteria
of the audit entry).
Suppose that Bob has Modify access to the Accounting Data folder and its files,
which include budget.xls. Write Data is among the permissions that comprise
Modify access. Bob uses Excel to open and write to budget.xls. Windows
matches Bob's action to the second entry in Figure 7-1. Bob is a member of the
Everyone group, his permissions to the accessed file include Write Data, and his
attempt to write to the file was successful. Windows would not match an attempt
by Bob to open the file simply to view it: Such an attempt would successfully use
Read Data permissions, which aren't specified for auditing. Now lets suppose
that Fred, who has no access to Accounting Data, is snooping around the
network and attempts to list the files in Accounting Data. This failed access
attempt will match the first entry in the folders audit policy and trigger an Object
Access event in the Security log.
Figure 7-2 provides a complete list of permissions, the corresponding names
used by Object Access events in the Security log, and an explanation the
permission as applied to folders and files.
Although you can limit auditing for a given object to specific groups or even
individual users, I recommend sticking with the Everyone group. Singling out
specific groups or users for monitoring puts you at risk of creating an incomplete
audit trail and might expose you to claims of unfairness or raise questions as to
the integrity of your information.
Be careful when specifying the type of access to monitor and when choosing
whether to audit for Success or Fail types. You can easily create too inclusive an
audit policy and deluge the Security log with useless noise. In particular, think
twice about enabling success auditing of Read Data, Read Attributes, Ready
Extended Attributes, Read Permissions, and Execute because these permissions
are used so frequently by legitimate users during the course of work.
53
Traverse
Folder /
Execute File
Execute/Traverse
Explanation
Folder
File
Folder traversed
while browsing file
system
Permits movement
through folders to
reach other files
or folders, if the
user has no other
permissions to the
folders being
traversed;has no
effect unless the
user lacks the
Bypass traverse
checking user
right, which is
assigned to
Everyone by
default
List Folder /
Read Data
Names of
subfolders and
files queried by
Explorer, dir
command, or
application
Read
Attributes
ReadAttributes
Read
Extended
Attributes
ReadEA
Create Files /
Write Data
Create
Folders /
Append Data
New subfolder
created in the
folder
Content appended to
end of file
Write
Attributes
WriteAttributes
Write
Extended
WriteEA
54
Explanation
Attributes
command, or application
Delete
Subfolders
and Files
DELETE
Delete
DELETE
Read
Permissions
READ_CONTROL
Change
Permissions
WRITE_DAC
Take
Ownership
SeTakeOwnershipPrivilege
In addition to the Type, Name, and Access columns, the Advanced Security
Settings contains an Apply To column. For container objects such folders, you
can specify values for this column to control whether and how Windows
propagates the audit entry to child objects. The Apply To value defaults to This
folder, subfolders and files but can be changed to any combination of the folder,
subfolders, and files. You can use the Apply To setting to fine tune your audit
policy so that it ignores file or folder access events that are irrelevant to your
audit needs, thus eliminating some noise from the Security log. For instance, you
might need a record of who is accessing sensitive files in a certain folder, but you
are not interested in folder-level access such as folder listings or creation of
subfolders and files. In that case, you can enable auditing for the appropriate
permissions but change the Apply To value to Files only.
If youd like to restrict the behavior of Apply To to the immediate level of child
objects and prevent an audit entry from propagating down to grandchild objects,
you can select the Apply these permissions to objects and/or containers within
this container only checkbox, as Figure 7-3 shows.
55
To properly use the Apply To setting, be sure you understand the dual meaning
of certain permissions. Note that some of the permissions listed in Figure 7-2
have a different meaning for files than for folders. For instance, Create
Folder/Append Data for a folder means that the user can create new subfolders
within the folder; for a file, the permission means that the user can append data
to the end of the file. Likewise, List Folder/Read Data for a folder lets users only
list the names of files and subfolders within the folder, but for a file, the
permission lets users read the actual data contents of the file. What if you want
to audit one of these dual meaning permissions for the folder only, not for the
files within the folder? Or what if you need to audit access to the files within the
folder but not access attempts to the folder? In such cases, use the Apply To
setting.
When viewing an object's audit policy, you can determine where each audit entry
is defined by consulting the read-only Inherited From column. In the example
that Figure 7-1 shows, both entries are explicitly defined on the immediate
folder, so this column reads <not inherited>. If at a certain level in your folder
hierarchy you need to break the flow of inherited permissions and block them
from propagating down to a particular subfolder, you can clear the Inherit from
parent the permission entries that apply to child objects checkbox.
Object auditing is basically the selective logging of access control decisions that
Windows makes. Have clear in your mind what you are trying to accomplish
before enabling an configuring an objects audit policy. Figure 7-4 provides a
number of common audit goals and the corresponding audit settings.
56
Goals
Audit Settings
Type
Access
Success
Write Data
Append Data
Failure
All permissions
Success
Change Permissions
Take Ownership
Success
Type
Description
560
Success
Failure
Object Open
562
Success
Handle Closed
ID
Its important to understand that Object Access events reflect the interaction
between Windows and an applicationnot between a user and the application.
For instance, when Bob uses Microsoft Word to open memo.doc, edits a
paragraph, and then closes the file, you might expect to find one instance of
Carefully consider the best setting for the Apply To column. If you choose This folder, subfolders and files, youll achieve
a complete audit trail, but permission changes to a parent folder that has many child objects will generate many Object
Access events as Windows propagates the permission change. If you choose This folder and subfolders, youll receive a
more reasonable amount of events but youll miss any permission changes to individual files, should such occur.
57
58
Description Field
Explanation
Object Type
Object Name
Handle ID
Operation ID
Unknown
Process ID
Primary Domain
Primary Logon ID
Client Domain
Client Logon ID
Accesses
Privileges
Not used
Unknown
59
Operation-Based Auditing
Event ID 560 logs the permissions requested by the application that's trying to
open a handle to the object, but that doesnt mean the application actually
exercised those permissions before closing the object. For instance, a user might
successfully open an object for Read and Write access but close the file without
every changing its content. In Windows 2000, theres no way to know if the
application used the permissions that are listed in successful instances of event
ID 560. Windows 2003 introduces a new feature, called operation-based
auditing, and the new event ID 567, Object Access. After a user successfully
opens a handle to an object and then exercises one or more permissions,
Windows logs event ID 567, which lists the Handle ID originally logged by event
ID 560 as well as the permissions exercised. Any subsequent uses of the same
permissions do not trigger duplicate instances of event ID 567; Windows simply
logs event ID 567 the first time the user exercises a given permission between
the opening and closing of the object. Unfortunately, event ID 567 lists only the
60
Saved
59
2
Ev
en
t
O
pe
ns
l
ce
Ex
s
93
se
lo
t5
C
en
Ev
Opened
Works with
spreadsheet
Ex
ce
l
Handle ID, not the objects name, so you cant simply monitor the log for event
ID 567 for the object name and type of permission you want to track. Instead,
you must watch for event ID 560 for the desired object name and permission,
then look for a subsequent event ID 567 with the same handle ID and
permission to affirm the actual use of the permission as shown in Figure 7-8.
Closed
Spread
sheet
Spread
sheet
Handle ID
matches
Windows handles object deletions a little different than other access events. In
addition to logging event ID 560, Windows also logs event ID 564, Object
Deleted, which lists the handle ID originated in event ID 560. When successful
delete access has been enabled for auditing on an object, Windows logs event ID
564 when that object is deleted. To determine the name of the deleted object,
look for a prior event 560 with the same Handle ID. Typically, event 560 and
event 564 will be in close proximity but it is possible for a process to open an
object for delete access and then actually delete the object much later.
Sometimes when you install new updates to Windows, the installer is unable to
replace existing files because they are in use by the operating system. In such
cases, the common approach is to instruct NTFS to delete the object the next
time the system boots but before the file is put into use. Windows logs such
deferred deletions in event ID 563, Object Open for Delete. Windows does not
log event ID 563 on typical file deletions. Microsoft documentation states that An
attempt was made to open an object with the intent to delete it. Note: This is
used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in
Createfile(). This flag is the only way to delete files opened exclusively by
another program.
The Object Access category also includes event ID 561, Handle Duplicated.
Handle duplication is an application-level event which bears little if any relevance
to security and auditing. Therefore, I recommend you ignore instances of event
ID 561. All of these objects are listed in Figure 7-9.
61
Type
Description
561
Success
Handle Duplicated
563
Success
564
Success
Object Deleted
567
Success
ID
You can use Object Access auditing to track who tried to access objects of
interest, how they tried to access those objects, and whether they were
successful. In Windows 2003, you can determine whether users who opened an
object for a specific type of access actually used that access or closed the object
without performing the operation. It would be easier if Windows logged the
objects name in instances of event ID 564 and event ID 567, but you must
connect event ID 560 and the subsequent event ID 564 or event ID 567 by using
the Handle ID field. Such multiple-event correlation or pattern recognition is
beyond the ability of most current event-log software, but I expect that to
change as interest in the Security log continues to increase.
62
Chapter 8
Account Management
Changed
Deleted
Member
Added
Removed
User
624
642
630
Computer
645
646
647
Local
635
641
638
636
637
Global
631
639
634
632
633
Universal
658
659
662
660
661
Local
648
649
652
650
651
Global
653
654
657
655
656
Universal
663
664
667
665
666
Groups
Security
Distribution
Not applicable
63
64
Scope
Potential Members
Permissions
Granted
Where
Defined
Universal
Anywhere in
the forest
AD
Global
Anywhere in
the forest
AD
Domain
local
Within the
same domain
AD
Machine
local
Within the
same system
Local SAM
For more information about the risks associated with local accounts, see the Windows IT Pro article
Limiting Risk Associated with Local Accounts at
http://www.windowsitpro.com/Article/ArticleID/42578/42578.html.
65
reset. Theres no list of the descriptions of all possible changes; if you want to
filter instances of event ID 642 for a certain type of change youll need to
execute that type of change on a sample user account, find the instance of event
ID 642, and capture the text description. Before going to that trouble, check
Figure 8-4 to see whether the category offers an event ID for that specific type
of user-account change. As you can see in Figure 8-4, Account Management
provides additional event IDs that make it easier to identify certain types of useraccount changes.
Note the difference between password changes and password resets. Password
changes occur when a user changes his or her password. Password resets
indicate that an administrator or other support person reset the password for a
user.
Event
Description
ID
Notes
Windows 2000
Windows 2003
626
Not logged
627
628
Not logged
644
671
Not logged
66
had changed a specified user account, and usually provides a brief text
explanation of the change. Windows 2003 provides much more granular
information about which user account attributes were changed, including the
options and restrictions found on the Account tab of the user account's
Properties dialog box in the MMC Active Directory Users and Computers snap-in.
Account Management logs just two other events. Event ID 643 informs you when
the domains password or lockout policy is changed. In some cases, Windows
2000 DCs log this event each time they apply Group Policy (5 minutes by
default), even when the policy settings remain unchanged. (To fix this behavior,
apply the most recent Windows 2000 service pack.) Windows 2003 DCs correctly
log event ID 643 (i.e., only when the settings have changed). Furthermore,
Windows 2003 provides new description fields that spell out the new values of
the policy settings that changed. Windows 2003 also logs event ID 668 whenever
a groups type or scope changes. Both of these events are listed in figure Figure
8-5.
Windows
2003 only
Event
ID
Description
668
643
Account Management is one of the best designed Security log categories. You
can use this category to track important maintenance to user accounts and
groups. The category's use of many distinct event IDs simplifies the filtering
process. (Dont forget about the extra events that Windows logs in connection
with user-account creations.) Account Management does a good job of auditing
changes to users, groups, and computers, but what about important AD objects
such as OUs, GPOs, and domains? The Directory Service Access category
provides granular tracking of any class of object in AD, even down to the
attribute level.
67
Chapter 9
Directory Service Access Events
68
At this point, the procedure for auditing AD objects diverges a bit from filesystem auditing. For files, you simply select auditing for the permissions that can
be performed against the file. However, AD has two types of operations:
operations performed against the object, and Read and Write operations against
individual properties of the object. These two types of operations correspond to
the Object and Properties tabs that Figure 9-2 shows.
69
Each class of object in AD has a set of applicable operations that you can
perform on that object and on its properties. Properties are individual settings
within an object. For example, a user object has many properties, including
phone number, photo, and account expiration date. Certain permissions are
common to all classes of objects:
Full control
List contents
Delete
Delete subtree
Read permissions
Modify permissions
Modify owner
70
Group objects
Users objects
Computer objects
Etc.
When the Apply these auditing entries to objects and/or containers within this
container only checkbox in the Auditing Entry is selected, recursion is limited to
the immediate OU and audit entries will not propagate below the immediate
children of the OU.
When an object is created, the system examines the parents audit policy and
copies each applicable entry to the new objects audit policy. Later, if the
parents audit policy changes, the changes are repeated on the child.
If the Inherit from parent the auditing entries that apply to child objects
checkbox is subsequently cleared, you can choose to have all inherited entries
deleted from the objects audit policy or added as non-inherited entries. All
future changes to upper-parent audit policy will not propagate to this object
71
Event
2003 only
ID
Type
Description
565
Success
Failure
Object open
566
Success
Object operation
As you can see in Figure 9-3, Windows 2003 adds event ID 566 as part of the
new operation-based auditing feature that I first introduced while discussing filesystem auditing on page 60. Event ID 565 is similar to event ID 560 but is
limited to recording access-request events on AD objects. Whereas event ID 565
logs the permissions requested by a user or program, event ID 566 logs the
permissions actually exercised by the user or program after opening the object.
An object might be accessed several times during the same open session, but
Windows logs event ID 566 only the first time a given permission is exercised.
This event is similar to event ID 567 but is limited to AD object access.
Thankfully, theres no need to correlate event ID 566 with event ID 565 to
determine the target objects name because event ID 566 itself identifies the
object by its X.500 distinguished name (DN). Therefore, if your DCs are Windows
2003 systems, you can concentrate on event ID 566 and ignore event ID 565. (If
you are auditing for failed attempts to access certain AD objects, youll need to
continue monitoring for failure type instances of event ID 565.) Both event Id
565 and event ID 566 share the description fields that Figure 9-4 lists.
Description Field
Explanation
Object Type
Object Name
Handle ID
Blank
72
Description Field
Explanation
Primary Domain
Domain of the DC
Primary Logon ID
Client Domain
Client Logon ID
Accesses
Permissions requested
Properties
Additional Info:
Additional Info2:
Access Mask:0x20
Unknown
73
74
Figure 9-6 shows a sample event ID 566 instance in which MTG\rsmith has
modified permissions on the Eastern US User Accounts OU. The WRITE_DAC
permission in the events description indicates that the OU's discretionary ACL
(DACL) of the was the focus of the change. As you can see, event ID 566 doesnt
tell us details of the change (e.g., the permissions changed) but it does alert us
to the fact the ACL was changed, tell us whichOU was affected, and who made
the change.
75
In addition to auditing permission changes on the domain root and OUs, you
should audit changes to the ACLs of GPOs. There are two reasons for modifying
GPO permissions. First, you might modify GPO permissions to give someone else
the ability to edit the GPO. Second, you might use the Apply Group Policy
permission to limit application of a GPO to a subset of users or computers that
would otherwise receive the GPOs policies.6 To enable auditing of Modify
Permission and Modify Owner for all current and future GPOs, open Active
Directory Users and Computers and then enable View\Advanced Features, which
reveals the System folder. Maneuver to the System\Policies folder, which is the
6
For more information about using a GPOs permissions to limit its application, see my Windows IT Pro
article Don't Shoot Yourself in the Foot with Group Policy Security Settings, Part 1.
76
physical location of GPOs in AD, and create the two audit entries as defined for
the domain root and OUs but select groupPolicyContainer objects as the choice
for the Apply onto setting. groupPolicyContainer is the system name of GPOs in
ADs schema. At this point, youll see an instance of event ID 565 or event ID
566 whenever someone modifies the permissions or takes ownership of the
domain root, Ous, or GPOs. If you want even more change-control auditing, you
can define similar audit policies on objects in the MMC Active Directory Sites and
Services console, thus tracking changes to your forests site topology.
Security
Event Category:
Event ID:
566
Date:
12/29/2005
Time:
4:00:37 PM
User:
MTG\rsmith
Computer:
MTG1
Description:
77
DS
Operation Type:
Object Access
MTG
rsmith
Client Domain:
MTG
(0x0,0x1015D24C)
Accesses:
Write Property
Properties:
Write Property
Default property set
versionNumber
groupPolicyContainer
Additional Info:
Additional Info2:
Access Mask: 0x20
Besides direct modification of GPOs you can also greatly alter the application of
Group Policy by linking or unlinking a GPO to an OU, domain root, or site or by
enabling the Block policy inheritance option on an OU. You manage GPO links
78
and the Block policy inheritance check box on the Group Policy tab of the
Properties dialog box of OUs, domain roots, and sites, as shown in Figure 9-8.
Internally, two properties on OUs, domain roots, and site objects correspond to
the settings you see in Figure 9-8. The gPLink property defines the GPOs listed in
Group Policy Object Links and holds the No Override and Disabled check box
columns as well. The Block Policy Inheritance check box corresponds to the the
gPOptions property. Create an audit policy at the root of the domain to monitor
Write access for these two properties for the domain root and OUs. To be
thorough, you can enable the same audit policy on site objects in Active
Directory Sites and Services. Then monitor your DC Security logs for events
similar to the one that Figure 9-6 shows, except that the Accesses field will list
Write Property and the Properties field will specify gPList or gPOptions. Again,
the event doesnt tell you the full details of the change but does alert you that
something about Group Policy was changed for the specified OU, domain, or site
as well as when the change happened and who made the change.
Directory Service Access events provide an audit trail for an important area of
your IT infrastructure. By enabling auditing of OUs, domain roots, sites, and
GPOs, you can effectively track changes in administrative authority and catch
potentially wide-sweeping effects of Group Policy modifications.
79
Chapter 10
Privilege Use Events
ou can use the Privilege Use category to track the exercise of user rights.
Microsoft uses the terms privilege, right, and permission inconsistently. In
this case, privileges refer to the user rights you find in Local Security Policy
under Security Settings\Local Policies\User Right Assignment, as Figure 10-1
shows.
80
Event
Type
Description
Success
Success
ID
576
577
578
Failure
Success
Failure
For most user rights, Windows logs a Privilege Use event when a user actually
exercises the right. However some rights are exercised so frequently during the
normal course of a users activities that the Security log would quickly fill if
Windows were to log each use. Among those high-use rights are Back up files
and directories and Restore files and directories, but you can force Windows to
log these two rights by enabling the Audit: Audit the use of Backup and Restore
privilege security option. Be aware that enabling this option will result in a
Privilege Use event being logged for every single file, folder, and other object
during system backups, which will overwhelm your log with events of
questionable value.
For normal user rights, Windows logs either event ID 577 or event ID 578 when
the event is exercised. Im not aware of any rationale that explains why Windows
logs one event ID for a given right as opposed to another. Figure 10-3 lists each
user right and specifies which event ID Windows uses to log it use. Note that
logon rights are never logged by Privilege Use events because the use of logon
rights is already documented by the Logon/Logoff category.
81
Description
Notes
SeNetworkLogonRight
Access this
computer from the
network
SeTcbPrivilege
SeMachineAccountPrivilege
Add workstations to
domain
Logged by 577
SeIncreaseQuotaPrivilege
Adjust memory
quotas for a process
Not observed
SeRemoteInteractiveLogonRight
SeBackupPrivilege
SeChangeNotifyPrivilege
Bypass traverse
checking
Never logged
SeSystemtimePrivilege
SeCreatePagefilePrivilege
Create a pagefile
Not observed
SeCreateTokenPrivilege
Create a token
object
SeCreatePermanentPrivilege
Create permanent
shared objects
SeDebugPrivilege
Debug programs
SeDenyNetworkLogonRight
SeDenyBatchLogonRight
Deny logon as a
batch job
SeDenyServiceLogonRight
Deny logon as a
service
SeDenyInteractiveLogonRight
82
System name
Description
Notes
SeDenyRemoteInteractiveLogon
Right
SeEnableDelegationPrivilege
Enable computer
and user accounts to
be trusted for
delegation
SeRemoteShutdownPrivilege
Force shutdown
from a remote
system
SeAuditPrivilege
Generate security
audits
SeIncreaseBasePriorityPrivilege
Increase scheduling
priority
Not observed
SeImpersonatePrivilege
Impersonate a client
after authentication
Not observed
SeLoadDriverPrivilege
SeLockMemoryPrivilege
Lock pages in
memory
Not observed
SeBatchLogonRight
Log on as a batch
job
SeServiceLogonRight
Log on as a service
SeInteractiveLogonRight
Log on locally
SeSecurityPrivilege
SeSystemEnvironmentPrivilege
Modify firmware
environment values
SeManageVolumePrivilege
Perform volume
maintenance tasks
Not observed
SeProfileSingleProcessPrivilege
Profile single
process
Not observed
SeSystemProfilePrivilege
Profile system
Not observed
83
Description
Notes
performance
SeUndockPrivilege
Remove computer
from docking station
Unimportant
SeAssignPrimaryTokenPrivilege
Replace a process
level token
SeRestorePrivilege
SeShutdownPrivilege
SeSyncAgentPrivilege
Synchronize
directory service
data
Unused
SeTakeOwnershipPrivilege
Take ownership of
files or other objects
As of the release of Windows 2003 Service Pack 1 (SP1), Windows uses event ID
576 at the time of logon to record the fact that the user holds some
administrator-equivalent rights. Microsoft defines administrator-equivalent rights
as those that can be used to elevate the user to administrator authority or to
compromise the audit trail. These administrator-equivalent rights are
documented in Figure 10-3 as being logged by event ID 576. Just to be clear,
event ID 576 simply lists the administrator-equivalent rights held by the user at
logon. The event does not indicate that the user exercised any of the rights.
Some administrator-equivalent rights also generate event ID 577 or event ID 578
at the time of use.
All three event IDs specify in their descriptions the user who exercised or holds
the right or rights, and list the rights in the Privileges description string.
As indicated in Figure 10-3, there are a number of rights that Ive never
observed being logged. All things considered, I dont find the Privilege Use
category particularly useful, and it generates a massive amount of useless noise
on DCs associated with computer accounts.
84
Chapter 11
Policy Change Events
Windows logs event ID 612 when it detects a change to the systems audit policy
as shown in Figure 11-1.
Event
Type
Description
ID
612
Success
This is an important event that might indicate tampering with the Security log.
Fortunately, the event tells you the new status of all nine audit policies, as Figure
11-2 shows. Unfortunately, the Changed By fields dont tell you which
administrator modified the audit policy; the user name always lists the computer
name of the local system. In Windows 2000 and later, no one directly modifies
security settings such as audit policy; instead, you edit the systems local GPO or
a GPO stored in AD. Subsequently, the system applies Group Policy and so its
the system that makes the actual configuration settings based on the resultant
set of policy derived from all applicable GPOs.
Audit Policy Change:
New Policy:
Success Failure
+
+
+
+
+
+
-
Logon/Logoff
Object Access
Privilege Use
Account Management
Policy Change
System
Detailed Tracking
Directory Service Access
Account Logon
Changed By:
User Name:
W3DC$
Domain Name: WORKGROUP
Logon ID:
(0x0,0x3E7)
Figure 11-2 Event ID 612 example
Another area of policy change that the Policy Change category logs are changes
to user right assignments. Windows logs event ID 608 when a user right is
85
Type
Description
608
Success
609
Success
ID
Dont be confused if you grant or revoke a logon right in Windows 2003, then
cant find the corresponding instance of event ID 608 or event ID 609. Window
2003 uses two other event IDsevent ID 621 and event ID 622to log
assignment and revocation of logon rights such as Access this computer from the
network or Log on locally.
Event
Type
Description
621
Success
622
Success
ID
Some rights are extremely powerful, to the point of giving the user
administrator-equivalent authority, so event ID 608 is valuable because it
provides a way to audit the assignment of user and logon rights. Event ID 621
gives you a way to track changes in how accounts are allowed to logon.
The Policy Change category uses three event IDs to log changes to domain trust
relationships, as listed in Figure 11-5. All three event IDs specify Trusted
Domain, but all three events are logged for both trusted and trusting domain
relationship changes.
86
Event
ID
610
Windows
2000
2003
Description
672
611
Windows
2000
2003
615
613
Does not
exist
614
611
Unconfirmed
Description
IPSec Services
IPSec policy agent started
IPSec policy agent disabled
IPSec policy agent encountered a
potentially serious failure
87
Type
Description
Success
ID
617
When an administrator modifies the data-recovery policy for the Encrypting File
System (EFS) as shown in Figure 11-10, Windows logs event ID 618 (Figure
11-9) and specifies the old and new values for the policy. This is an important
event because anyone who can edit a GPO can add himself or herself as a data
recovery agent to one or more computers and thereby access information
encrypted by other users. Sometimes Windows logs event ID 618 when nothing
has changed, so examine the description of the event to determine its relevance.
Event
Type
Description
Success
ID
618
88
Windows logs event ID 619 when someone modifies the computers Quality of
Service (QoS) policy, which relates to how Windows can prioritize different types
of TCP/IP traffic. Sometimes Windows logs event ID 619 (Figure 11-11) when
nothing has changed, so examine the description of the event to determine
whether the event is relevant.
Event
Type
Description
Success
ID
619
89
Type
Description
ID
806
Success
807
Success
For more information on per user selective audit policy Roger Grimes Windows IT Pro article Per-User
Auditing at http://www.windowsitpro.com/Article/ArticleID/46625/46625.html.
90
Chapter 12
System Events
Type
Description
512
Success
Windows NT is starting up
513
Success
ID
Type
Description
514
Success
515
Success
518
Success
ID
System Events also provides two events related to Security log integrity, as listed
in Figure 12-3. Event ID 517 documents that someone possessing the Manage
auditing and Security log right cleared the Security log. Event ID 516 can be
logged during periods of extreme load but is very unusual. Windows logs these
events regardless of the status the Audit system events policy.
91
Type
Description
516
Success
517
Success
ID
Another useful event in this category is event ID 520, The system time was
changed. Event ID 520 specifies the previous and new date and time as well as
the executable and user who changed the time. Event ID 519 has not been
observed in the field.
Event
Type
Description
519
Success
520
Success
ID
Windows logs the most important event in this category, event ID 517, whether
System Events is activated for auditing or not. However, its worth enabling this
category so that you have an audit trail of system restarts. Enabling Audit system
events does not create an undue amount of noise.
92
Chapter 13
Getting the Most from the Security Log
ven a handful of servers creates more Security log data than you can hope
to monitor and analyze manually. LogParser is a terrific free utility that can
help you with the task but ultimately most organizations see the need for a
full Security logmanagement solution.
If you are evaluating such solutions, make sure you select one that fits your
needs. If you have more than a dozen servers, you need to factor scalability into
your evaluation plan. Performance also becomes an issue when you need to
monitor systems across slow WANs.
Make sure the solution supports the alert methods that your staff requires, be it
pager, email, SNMP traps, or execution of a script. Check out the reporting
mechanism. Ive never seen a solution that offers all the reports you might ever
need, so how sophisticated is the user-definable report capability? What are your
archival needs?
Does the solution's architecture fit your environment? Some solutions require you
to deploy agents on each monitored system. Agents provide many advantages
but also drive up implementation costs and can create problems for server
administrators.
Is interoperability (such as support for syslog) important to you? Does the tool
need to accept syslog data streams as input? Do you need to be able to send
Windows security events to a syslog server?
Don't forget the issue of separation of duty. Do you have a large IT staff that
includes separate staff to monitor security? If so, is the solution part of a larger
operations framework under the control of the very folks you are supposed to
monitor?
Finally, ask yourself whether the solution provides integrity and confidentiality of
log data as it traverses your network. What about in the database and archive
files?
Keep Learning
As you spend time with the Security log, youll be able to interpret more and
more of its obscure codes as well as make inferences based on patterns you
begin to recognize. The best way gain this skill is to perform the actions you
want to track and then analyze the events that Windows logs in response to
those activities.
That sequence of activities might be the opposite of what you expect. But after
many years of analyzing Security logs, Ive found its better to determine what
93
94
10% Discount
On Public, in-person or multi-media eTraining from
www.UltimateWindowsSecurity.com
held on December
Use or mention coupon code TWSSLR