bezpečnost windows pro pokročilé: protokoly a sledování přihlášení gopas: | | ing....
DESCRIPTION
Auditing (2000+)TRANSCRIPT
Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic [email protected] | www.sevecek.com |
Logon auditing
Advanced Windows Security
Auditing (2000+)
Granular auditing (2008/Vista+)
Logon auditing
Account Logon Event• "authentication event"• when an account database validates credentials
Logon Event• "session event"• every time an Access Token is created or closed
Auditing (Interactive Logon)
SQLFS
WFE
DC
Client
Account Logon1
Logon2
Kerberos Failure Codeshttp://technet.microsoft.com/en-us/library/bb463166.aspx
Status Name
0x0 KDC_ERR_NONE
0x1 KDC_ERR_NAME_EXP
0x2 KDC_ERR_SERVICE_EXP
0x3 KDC_ERR_BAD_PVNO
0x4 KDC_ERR_C_OLD_MAST_KVNO
0x5 KDC_ERR_S_OLD_MAST_KVNO
0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
0x8 KDC_ERR_PRINCIPAL_NOT_UNIQUE
0x9 KDC_ERR_NULL_KEY
0xA KDC_ERR_CANNOT_POSTDATE
Kerberos Failure Codeshttp://technet.microsoft.com/en-us/library/bb463166.aspx
Status Name
0xB KDC_ERR_NEVER_VALID
0xC KDC_ERR_POLICY
0xD KDC_ERR_BADOPTION (delegation not enabled)
0xE KDC_ERR_ETYPE_NOTSUPP (etype not supported)
0xF KDC_ERR_SUMTYPE_NOSUPP
0x10 KDC_ERR_PADATA_TYPE_NOSUPP
0x11 KDC_ERR_TRTYPE_NO_SUPP
0x12 KDC_ERR_CLIENT_REVOKED (disabled)
0x13 KDC_ERR_SERVICE_REVOKED
…
0x17 KDC_ERR_KEY_EXPIRED (password expired, even when using smart cards)
0x18 KDC_ERR_PREAUTH_FAILED (bad password or invalid certificate)
0x19 KDC_ERR_PREAUTH_REQUIRED
0x25 KRB_AP_ERR_SKEW (clock skew)
Logon types
Type ValueInteractive 2
Network 3
Batch 4
Service 5
Unlock 7
NetworkCleartext 8
NewCredentials 9
RemoteInteractive 10
CachedInteractive 11
CachedRemoteInteractive 12
CachedUnlock 13
Logon sessions
gwmi win32_LogonSession | select LogonId, @{ n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } }, AuthenticationPackage, LogonType, StartTime, @{ n = 'Login' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } }, @{ n = 'SID' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } }
Auditing (Network session)
SQLFS
WFE
DC
Client
Account Logon1
Logon2
Status codesStatus Value
STATUS_WRONG_PASSWORD 0xC000006A
STATUS_PASSWORD_RESTRICTION 0xC000006C
STATUS_LOGON_FAILURE 0xC000006D
STATUS_ACCOUNT_RESTRICTION 0xC000006E
STATUS_INVALID_LOGON_HOURS 0xC000006F
STATUS_INVALID_WORKSTATION 0xC0000070
STATUS_PASSWORD_EXPIRED 0xC0000071
STATUS_ACCOUNT_DISABLED 0xC0000072
STATUS_LOGON_NOT_GRANTED 0xC0000155
STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B
STATUS_ACCOUNT_EXPIRED 0xC0000193
STATUS_PASSWORD_MUST_CHANGE 0xC0000224
STATUS_ACCOUNT_LOCKED_OUT 0xC0000234
Download err.exe
version 2008• http://www.microsoft.com/en-us/download/details.aspx?id=985
most up-to-date version• SDK for Windows 8.1• http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx
immediately at logoff
Auditing (Interactive logoff)
SQLFS
WFE
DC
Client
Logoff1
SQLFS
WFE
when TCP connection closed
Auditing (Network session logoff)
DC
Client
Logoff1
Děkuji za pozornost
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic [email protected] | www.sevecek.com |