windows log monitoring

Windows Log Monitoring

Best Practices for Security and Compliance

Table of Contents

Introduction ................................................................................................................................................... 3

Overview ....................................................................................................................................................... 4

Major Security Events and Policy Changes .................................................................................................. 6

Major Security Events and Policy Changes Active Directory and Member Server ................................ 6

Active Directory and Member Server Compliance Events of Interest ........................................................... 8

Active Directory General Object Changes ................................................................................................ 8

Active Directory and Local Server Group Member Additions ................................................................... 9

Active Directory and Local Server Group Member Deletions ................................................................. 11

Active Directory and Local Users New or Enabled ................................................................................. 12

Active Directory and Local Users Deleted or Disabled ........................................................................... 13

Active Directory Group Policy Change .................................................................................................... 13

Active Directory Permission Changes ..................................................................................................... 15

Active Directory and Local User Account Lockouts and Password Resets ............................................ 16

Active Directory and Local Server Other Users, Groups and Computers Changes ............................ 17

Authentication and Logons Compliance Events of Interest ........................................................................ 19

Domain Account Authentication .............................................................................................................. 19

Domain Account Authentication Failure Analysis ................................................................................... 20

User Logons by Server Type .................................................................................................................. 21

Introduction

This document, and the accompanying document, SecureWorks Audit Policy Configuration, is designed to provide you with greater insight into the Windows logs that need to be collected for security, as well as compliance purposes and how to properly configure your Windows system to log this information. This document is the result of extensive research into the generally accepted best practices for Windows log monitoring performed in conjunction with SecureWorks team of Audit Experts and recognized Windows expert Randy Smith, founder of the Monterey Technology Group and author of Ultimate Windows Security.

The information contained throughout this document will provide you with event IDs and information necessary for optimum Windows security and compliance. In addition to this document, SecureWorks has also tuned our filters to capture the information outlined in this document and has created a suite of reports for you to use to easily view your Windows events. Reports designated as daily should be scheduled by your organization to be run daily for your Windows servers and be reviewed by a member of your team. Reports designated as ad-hoc should be run or scheduled to be run by your organization for periodic review by your team. The Portal also allows you to store the report and digitally sign it for audit purposes. Each event grouping below is mapped to one of the following SecureWorks reports, which can be accessed, ran and scheduled via the Monitoring section of the Report tab in the SecureWorks Client Portal:

Major Security Events and Policy Changes Daily Active Directory and Member Server Compliance Events Daily Active Directory and Member Server Compliance Events Ad Hoc Authentication and Logons Compliance Events of Interest Ad Hoc

Overview Windows Event Group Event Codes SecureWorks Report Name

Frequency of Review

Major Security Events and Policy Changes Active Directory and

Member Server

517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622,

643

Major Security Events and Policy Changes Daily

Daily

Active Directory and Local Server General

Object Changes 565, 566

Active Directory and Member

Server Compliance Events - Daily

Daily

Active Directory and Local Server Group Member Additions

632,636,650,655,660,665



Daily

Active Directory and Local Server Group Member Deletions

633,637,651,656,661,666



Daily

Active Directory and Local Users New or

Enabled 624,642,626



Daily

Active Directory and Local Users Deleted or

Disabled 629,630,642



Daily

Active Directory Group Policy Change 565,566



Daily

Active Directory and Local Server Permission

Changes 565,566,560



Daily

Active Directory and Local User Account

Lockouts and Password Resets

642, 644, 671, 627,628


Server Compliance Events of Interest

Ad Hoc

Ad Hoc

Active Directory and Local Server Other Users, Groups and

Computers Changes

642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664, 638, 634, 662, 652, 657, 667, 668, 645,646, 647


Server Compliance Events Ad

Hoc

Ad Hoc

Domain Account Authentication 672

Authentication and Logons Compliance Events of

Interest Ad Hoc

Ad Hoc

Windows Log Group Event Codes SecureWorks Report Name Frequency of Review

Domain Account Authentication Failure

Analysis 672, 675, 676, 681


Interest Ad Hoc

Ad Hoc

User Failed Logons by Server Type

529, 530, 531, 532, 533, 534, 535, 536, 537,539


Interest Ad Hoc

Ad Hoc

Major Security Events and Policy Changes

Major Security Events and Policy Changes Active Directory and Member Server

Audit Policy Requirements Category: Account Management, System Events, Privilege Use, Policy Change Type: Success Role: Member Servers and Domain Controllers SecureWorks Report:

o Pre-Built Report Section: Monitoring o Report Name: Major Security Events and Policy Changes Daily

Log Information to Aggregate Computer Computer

Event\Change

Event ID

Event\Change Performed By:

517 Security log cleared Client User Name:\Client User Domain:

520 System time changed

Previous Time:7:09:19 PM 8/5/2004

New Time:7:10:18 PM 8/5/2004

Client User Name:\Client User Domain:

601 Attempt to install service

Name: SNMPTRAP

Success/Failure

By:

User Name: \ Domain:

608 User Right Assigned

User Right: SeUndockPrivilege

Assigned To: Domain\User

Assigned By:

User Name: \

Domain:

609 User Right Removed

User Right: SeUndockPrivilege

Removed From: Domain\User

Assigned By:

User Name: \

Domain:

610

New Trusted Domain

Domain:

Established By:

User

Performed By

Trust Type:

Translation guidance:

Field Value Display

directions

1 1 - Trusted (the domain where this event was logged accepts the identity of users of the new domain)

2 2 - Trusting ( (the new domain accepts the identity of users of the domain where this event was logged)

3 3 - 2-way (mutual trust)

type See: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/microsoft_domaintruststatus.asp

And: http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectory.trusttype.aspx

Name: \

Domain:

611

Trusted Domain Removed

Domain:

Established By:

User Name: \

Domain:

620 Trusted Domain Information Modified

Domain:

Modified By:

User Name: \

Domain:

612 Audit Policy Changed

Server:Name\Domain

New Policy: SuccessFailure + +Logon/Logoff + +Object Access + +Privilege Use - -Account Management + +Policy Change + +System - -Detailed Tracking + +Directory Service Access + +Account Logon

n/a

617 Kerberos Policy Changed n/a

Domain:

Change:

--' means no changes, otherwise each change is shown as: : ()) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000 (none);

621 System Security Access Granted

Account: Domain\User

Access: SeRemoteInteractiveLogonRight

n/a

622 System Security Access Removed

Account: Domain\User

Access: SeRemoteInteractiveLogonRight

n/a

643 Domain Policy Changed

Domain:

Changed By:

User Name: \

Domain:

Interpretation Entries in this group indicate major changes to the security configuration of the indicated server or a high security event such as the security log being cleared.

Recommended Usage and Response The Major Security Events and Policy Changes Daily report should be generated for each server administrator filtered on the servers under his/her care. Run daily for evidence of intrusions, misconfigurations or unauthorized changes and review with signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Verify that all entries correspond to legitimate actions by authorized administrators.

Documentation This group contains Event IDs: 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622 and 643.

Active Directory and Member Server Compliance Events of Interest

Active Directory General Object Changes

Audit Policy Requirements

Category: Directory Service Type: Success Role: Domain Controllers (only DCs report 566 or 565) SecureWorks Report:

o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate Type Object Type:

o domainDNS = Domain o organizationalUnit = OU o groupPolicyContainer = GPO

Operation Object Type If present in description Column contents

Any WRITE_DAC Changed permissions

Delete Tree Deleted along with all child objects

DELETE Deleted

organizationalUnit,

domainDNS or site

Write Property and gPList GPO options or links modified

Write Property and gPOptions

GPO options or links modified

groupPolicyContainer Write Property and version modified

Changed by [Caller Domain:]\[Caller User Name:]

Interpretation This group documents changes made to AD objects.

Event Codes of Interest 565 and 566.

Recommended Report Review and Response Run the Active Directory and Member Server Compliance Events-Daily report daily and as needed for ad hoc research/analysis. Reports should be reviewed with signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.

Active Directory and Local Server Group Member Additions

Audit Policy Requirements Category: Account Management Type: Success Role: Domain Controllers SecureWorks Report:


Log Information to Aggregate Group domain Target Domain

Group name Target Account Name

Type Security if Security Enabled in description or if event ID: 636, 632, 660

Distribution if Security Disabled in description or if event ID: 650, 655, 665

New Member Member Name:

Added by Caller Domain:\Caller User Name:

Interpretation If groups Type is security, the New Member now has access to any objects where Group is granted permissions and will receive email sent to Group. If Groups Type is distribution the New Member will receive email sent to Group.

These logs document new members added to security and distribution groups in Active Directory and Local Servers. AD and Local Server groups are increasingly being used as the basis for controlling access to privileged information and transactions in databases and applications so AD and Local groups and user activity is usually significant even in the unlikely scenario that no significant information is stored on Windows file servers. Distribution groups are important to monitor since they are often used to deliver confidential email.

Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Check for inappropriate or unauthorized group membership changes.

Documentation There are 3 scopes of member groups. A groups scope limits where the group can be granted access and who the group can have as members. These events are collected from domain controllers.

Scope Explanation Event ID

Security Distribution

Domain Local As a Domain Local group, Group is limited to objects in the local domain. Membership in Group cannot result in access to objects in other domains.

636 650

Global As a Global group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains.

632 655

Universal As a Universal group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains.

660 665

Active Directory and Local Server Group Member Deletions



Log Information to Aggregate Group domain Target Domain

Group name Target Account Name

Type Security event ID: 637, 633, 661

Distribution event ID: 651, 656, 666

Scope Domain Local, Global and Universal

Member Member Name:

Deleted by Caller Domain:\Caller User Name:

Interpretation If groups Type is security, the Member no longer has access to any objects where Group is granted permissions and will no longer receive email sent to Group. If Groups Type is distribution the New Member will no longer receive email sent to Group.

These logs document members removed from security and distribution groups in Active Directory and Local Servers. AD groups are increasingly being used as the basis for controlling access to privileged information and transactions in databases and applications so AD and Local server groups and user activity is usually significant even in the unlikely scenario that no significant information is stored on Windows file servers. Distribution groups are important to monitor since they are often used to email confidential email.

Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Provides documentation that group membership was revoked in connection with job changes, etc.

Documentation There are 3 scopes of groups. A groups scope limits where the group can be granted access and who the group can have as members. These events are collected from domain controllers.

Scope Explanation Event ID

Security Distribution

Domain Local As a Domain Local group, Group is limited to objects in the local domain. Membership in Group cannot result in access to objects in other domains.

637 651

Global As a Global group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in

633 656

access to objects in other domains.

Universal As a Universal group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains.

661 666

Active Directory and Local Users New or Enabled



Log Information to Aggregate Operation Criteria

event ID 624

event ID 642

event ID 626

User Account

Operation User Account

New New Account Domain:\New Account Name:

Enabled Target Domain\Target Account Name:

Performed by

Caller Domain:\Caller User Name:

Interpretation This event group documents new AD and Local Member Server user accounts or users previously disabled that are now enabled.

Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Verify new user accounts correspond to new hires and check for accounts of terminated employees that have been mistakenly enabled. Enabled user accounts except in connection with return from sabbatical should be fairly infrequent; investigate.

Documentation This group is based on event ID 626 and 624 in Windows 2003; 642 and 624 in Windows 2000.

Active Directory and Local Users Deleted or Disabled



Log Information to Aggregate Operation Criteria Operation

event ID 630 Deleted

642 where Account Disabled within description Disabled

629

User Account Target Account Name:\Target Domain:

Performed by Caller Domain:\Caller User Name:

Interpretation This event group documents AD and Local Member Server user account deletions or accounts previously enabled that are now disabled.

Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. This report provides documentation that account access was revoked in connection with terminations, etc.

Documentation This group is based on event ID 629 and 630 in Windows 2003; 642 and 630 in Windows 2000.

Active Directory Group Policy Change

Audit Policy Requirements Category: Directory Service Type: Success Role: Domain Controllers SecureWorks Report:


Log Information to Aggregate

Type Object Type:

o domainDNS = Domain o organizationalUnit = OU o groupPolicyContainer = GPO o site = Site

Name

Operation

Case Object Name Operation

1 (Object Type: is organizationalUnit or domainDNS or site)

and (Properties: includes gPList or gPOptions)

and (Accesses: includes Write Property)

Object Name: Group Policy links or options changed

2 Object Type: is groupPolicyContainer

and (Properties: includes version)

and (Accesses: includes Write Property)

Object Name: GPO modified


and Accesses: includes WRITE_DAC

Object Name: GPO permissions modified


And (Accesses: includes DELETE)

Object Name: GPO deleted

5 Object Type: is container

and (Accesses: includes Create Child)

and Properties: includes groupPolicyContainer

Object Name: GPO created

Changed by Caller Domain:\Caller User Name:

Interpretation This event group documents all group policy related changes:

New, Changed and Deleted GPOs Changes to the Group Policy properties tab of Sites, Domains and Organizational Units

Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.

Check for inappropriate or unauthorized group policy changes. Mistaken modifications to group policy can impact thousands of users and computers. Change control and change audit trail are crucial to limiting group policy risk. Changes to group policy objects can also adversely reconfigure security settings or policies opening the organization to intrusion or system abuse.

Documentation This group is based on event IDs 566 and 565.

Active Directory Permission Changes

Audit Policy Requirements Category: Directory Service Type: Success Role: Domain Controllers SecureWorks Report:


Log Information to Aggregate

Note Enable auditing at root of domain for Everyone, All objects, Success, Change Permissions. This is already the default on Windows 2000 DCs but not on Windows 2003 DCs.

Domain Convert DC= components of Object Name: to DNS equivalent. DC=acme,DC=com becomes acme.com

Type Object Type:

domainDNS = Domain

organizationalUnit = OU

groupPolicyContainer = GPO

otherwise use actual value

Operation

Name

Object Name

Changed by Caller Domain:\Caller User Name:

Interpretation This group documents changes to permissions on objects in Active Directory. Permission changes are usually the result of delegating administrative authority. Active Directory does not report the content of the changes only that the change occurred.

Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.

Check for inappropriate delegation of authority. Delegation of control is important in AD in order to follow least privilege but could result in inappropriate authority being granted if not executed properly. Since

Active Directory does not report the content of the changes only that the change occurred you must review the ACLs of the affected objects.

Documentation This group is based on event ID 560, 565 and 566.

Active Directory and Local User Account Lockouts and Password Resets


o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events Ad Hoc

Log Information to Aggregate Operation Operation OS Criteria

Locked 2000 event ID 644

2003

Unlocked 2000 642 where unlocked within description

2003 671

Password Reset

2000 627 where Target different than Caller

2003 628

User Account Target Account ID:

Performed by Caller Domain:\Caller User Name:

n/a for 644

Interpretation This group documents AD and Local Member Server account lockouts, subsequent unlocks and password resets by an administrator or someone delegated that authority.

Recommended Usage and Response Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed. Verify password resets correspond to authentic calls to the help desk by user whos forgotten his password. Verify account unlock and password reset requests are properly authenticated by help desk.

Having authority to reset passwords allows the holder to impersonate other users. Periodically auditing password resets provides a deterrent control.

Documentation This group is based on event ID 642, 644, 671, 627 and 628.

Active Directory and Local Server Other Users, Groups and Computers Changes

Audit Policy Requirements Category: Account Management Type: Success Role: Domain controllers. Recognize DCs where Target Name: does not equal Computer SecureWorks Report:

o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events Ad Hoc

Log Information to Aggregate Object Type Operation Column Definition Selection Criteria

User

For user changes its important to distinguish whether 624 is from a 2000 or 2003 computer. Since many 642s in 2003 are redundant because of other specific event IDs. To determine OS version:

Windows 2000: Changed Attributes will not be present in description

Windows 2003: Changed Attributes is present in description

General change

On Windows 2000

642 - First insertion string from description. Some account changes generate 642 with first insertion string empty. In such cases display Not specified

On Windows 2003

MS removed the first insertion string and replaced with Changed Attributes. Display attribute name/value pairs for which there is a value

For example, for the example event below you would display:

Password Last Set: 8/1/2006 12:15:10 PM Some account changes generate 642 where no attributes are listed as changed. In such cases display Not specified

Example event: Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 642 Date: 8/1/2006 Time: 12:15:10 PM User: S3DGROUP\radmin Computer: A4 Description: User Account Changed: Target Account Name:

Event ID 642

To determine OS version:

Windows 2000: Changed Attributes will not be present in description

Windows 2003: Changed Attributes is present in description

First check if 642 matches criteria for one of the other operations in this table. If so its a specific change not a general change.

Windows logs multiple 642s sometimes in relation to one operation from the point of view of the administrator.

Windows logs multiple 642s in conjunction with new user accounts (624).

Windows also logs 642s that are redundant because of event IDs that document specific actions such as password resets, enabling/disabling accounts, etc.

gthomas Target Domain: S3DGROUP Target Account ID: S3DGROUP\gthomas Caller User Name: radmin Caller Domain: S3DGROUP Caller Logon ID: (0x0,0x34495) Privileges: - Changed Attributes: Sam Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 8/1/2006 12:15:10 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - Sid History: - Logon Hours: -

Renamed From: [Old Account Name: ] To: [New Account Name:]

685

Group Created Created 635, 631, 658, 648, 653, 663

Changed Changed

Sam Account Name:- Sid History:-

641, 639, 659, 649, 654, 664

Deleted Deleted 638, 634, 662, 652, 657, 667

Group Type Changed

Group Type Changed From: [Security/Distribution] To: [Local/Global/Universal]

Security if Security Enabled in description

Distribution if Security Disabled in description

668

Computer Created Created 645

Changed See General Change column definition for User

646

Deleted Deleted 647

Other Information

Domain [Target Account Domain:]

Object [Target Account Domain:]\ [Target Account Name:]

Type: Use Object Type column in table above

Performed by [Caller Domain:]\[Caller User Name:]

n/a for Account Locked operations 644

Interpretation

This group documents all other changes to users, groups and computers including new and deleted objects. Sometimes Windows fails to report exactly what was changed which is reflected by Not specified.

Recommended Usage and Response

Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed. Provide as needed to IT Audit to demonstrate compliance with account management procedures.

Documentation

This group is based on event ID 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664, 638, 634, 662, 652, 657, 667, 668, 645,646 and 647.

Authentication and Logons Compliance Events of Interest

Domain Account Authentication

Audit Policy Requirements Category: Account Logon Type: Success Role: Domain Controllers SecureWorks Report:

o Pre-Built Report Section: Monitoring o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc

Log Information to Aggregate Authentication Type Authentication Type: (success)

672 = Kerberos TGT,

Account Domain:\User Name:

Server Event 672: Computer.

Interpretation

This group documents all authentications to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the users workstation must access the domain controller under the users credentials to apply Group Policy\User Configuration.

Recommended Usage and Response Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed.

Documentation This group is based on event ID 672.

Domain Account Authentication Failure Analysis

Audit Policy Requirements Category: Account Logon Type: Failure Role: Domain Controllers SecureWorks Report:


Log Information to Aggregate Account Domain:\User Name:

Reason See http://ultimatewindowssecurity.com/kerberrors.html for Kerberos errors

See http://ultimatewindowssecurity.com/ntlmerrors.html for NTLM errors

Domain Controller Computer name from event header

Workstation Event 681: Workstation: or Worktation Name:

Event 672, 675,676: Client Address:

Authentication Protocol Event 681: NTLM

Event 672, 675,676: Kerberos

Interpretation This group documents all authentication failures to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the users workstation must access the domain controller under the users credentials to apply Group Policy\User Configuration.


Documentation This group is based on event ID 672, 675, 676 and 681.

User Logons by Server Type Category: Logon/Logoff Type: Failure Role: Servers SecureWorks Report:


Log Information to Aggregate Logon Type Logon Type: %4

See http://ultimatewindowssecurity.com/logontypes.html for translation

Domain:\User Name User Name: %1 Domain: %2

Server Computer.

Process Logon Process

ID Logon ID (optional)

Success/Failure EventType from header

If failure, fill in failure reason based on event ID

Interpretation This group documents all logons to monitored servers.


Documentation This group is based on event ID 529 through 540, excluding 538.

windows log monitoring

Documents