| Last modified: 3
October 2004
Windows operating systems, in their default configurations,
provide minimal logging. This page represents the things I found useful when implementing enterprise log monitoring on Windows NT and Windows 2000 (domain controllers and domain members; others to follow), during my tenure at Counterpane.
The auditing and logging capabilities within Windows are evolving rapidly as Microsoft incorporates suggestions from the log analysis community (and others, one presumes). I'm not maintaining this page regularly, so be sure to verify all information by testing in your own environment. Microsoft's documentation is the best place to start.
Please send comments and contributions to
tbird@precision-guesswork.com.
General
References on Windows Security and Auditing
- Guide
to Securing Microsoft Windows 2000 Group Policy: Security Configuration
Tool Set
Chapter 4.1, Modifying Local Policy Settings with Security Templates:
Auditing Policy, and Chapter 5, Modifying Event Log Settings
with Security Templates, are particularly relevant.
- How
to Determine Audit Policies from the Registry
This explains how to determine a Windows system's audit policy by examining
the Registry directly, rather than by using the GUI.
Note: Microsoft uses the words logging and auditing somewhat interchangeably. If you want to configure the logging that your Windows box performs, you do it by modifying the audit policy. This is a bit different than the terminology most UNIX administrators are familiar with, in which you modify the logging by editing a file named syslog.conf.
Configuring
Auditing on Win2000 Domain Controllers
- Open
the Control Panel, and double-click on Administrative Tools.
- Open
Active Directory Users and Computers
- Select
Domain Controllers. Go to the Actions toolbar item, and select
Properties.
- Go to
the Group Policy Tab, and select Default Domain Controllers Policy
(or whichever Domain Controllers Policy is used within your environment).
- Click
on the Edit button.
- Then
select Computer Configuration, Windows Settings, Security
Settings, Local Policies, Audit Policy
- Put a
checkmark in whichever audit policies you want to enable (see below
for some recommendations), and close the window.
According
to Eric Fitzgerald, Product Manager
for Windows Auditing at Microsoft: Policy change propagates every 5 minutes
on Win2k domain controllers; every 16 hours on Win2k domain member clients
(Server and Professional versions).
You can
force policy propagation immediately on a Windows machine with the following
command from a command prompt (you must be an Administrator):
Windows
2000 - SECEDIT /REFRESHPOLICY MACHINE_POLICY
Windows
XP - GPUPDATE
Windows
2000 Domain Member Clients
To configure
audit policy for Windows 2000 domain members, open the Administrative
Tools.
- Select
Active Directory Users and Computers.
- Highlight
your domain name and right-click. Select Properties.
- On the
Group Policy Tab, select Default Domain Policy (or whatever policy
is appropriate in your environment). Changes to the policy are saved
immediately when they're made.
Again, changes
to domain member policies are propagated every 16 hours for domain members.
Windows
Audit Categories and EventIDs
Happily,
although the names of audit categories have changed between WinNT and
Win2000, the Event IDs appear to be the same. This simplifies rolling
your log monitoring tools between the two operating systems.
The following
includes a description of the Windows audit categories that are particularly
relevant for security monitoring. I'm skipping descriptions of directory
service auditing, object access, and process tracking, mostly for the
sake of space, not because they're not valuable. For most of us, getting
these bits right will put us way ahead of the game.
I've also
included the sorts of Event Log messages that are created within each
of the categories. This information is mostly derived from Microsoft documentation.
I'm also throwing in my personal recommendations for audit configurations
-- please take those with a grain of salt, and modify them to fit your
own network environment and security profile.
If you use
swatch or some other log monitoring package, you'll want to be
particularly alert to messages with EventIDs followed by a *. The asterisk
means that the message is frequently (although not always) a sign of malicious
behavior.
Audit
Category: Logon and Logoff (NT); Audit logon events
(2000)
Description:
Records user authentication activity and IPsec Security Associations (for
reasons that are clear only to Microsoft). This category controls auditing
for local authentication and authentication of a local user to a local
machine, or to a remote domain controller. If you're looking for the ability
to centrally record successful and failed domain authentications, you
must use Windows 2000 and you want the category Audit account logons
below.
Recommended
Configuration: Enable success and failure auditing.
Enabling
successes and failures in this category enables you to record the following
events:
Event
ID |
Event
Descriptor |
| 528 |
Successful Logon |
| 529* |
Logon Failure: Reason:
Unknown user name or bad password |
| 530* |
Logon Failure: Reason:
Account logon time restriction violation |
| 531* |
Logon Failure: Reason:
Account currently disabled |
| 532* |
Logon Failure: Reason:
The specified user account has expired |
| 533* |
Logon Failure: Reason:
User not allowed to logon at this computer |
| 534* |
Logon Failure: Reason:
The user has not been granted the requested logon type at this machine |
| 535* |
Logon Failure: Reason:
The specified account's password has expired |
| 536 |
Logon Failure: Reason:
The NetLogon component is not active |
| 537* |
Logon Failure: Reason:
An unexpected error occurred during logon |
| 538 |
User Logoff: |
| 539 |
Logon Failure: Reason:
Account locked out |
| 540 |
Successful Network Logon |
The following
Event IDs in this category are Windows 2000 only. They are recorded only
when the IPsec Security Protocols are in use.
| 541 |
IPSec security association
established. |
| 542 |
IPSec security association
ended. Mode: Data Protection (Quick mode) |
| 543 |
IPSec security association
ended. Mode: Key Exchange (Main mode) |
| 544 |
IPSec security association
establishment failed because peer could not authenticate. |
| 545 |
IPSec peer authentication
failed. |
| 546 |
IPSec security association
establishment failed because peer sent invalid proposal. |
| 547 |
IPSec security association
negotiation failed. |
Audit
Category: Audit account logon events (Win2000 only)
Description:
Provides a domain controller with the ability to record successful and
failed account logons centrally. Specifically, records the response given
by a domain controller when asked to authenticate a network user.
Recommended
Configuration: Enable success and failure auditing.
Event
ID |
Event
Descriptor |
| 672 |
Authentication Ticket
Granted |
| 673 |
Service Ticket Granted |
| 674 |
Ticket Granted Renewed |
| 675 |
Pre-authentication failed |
| 676 |
Authentication Ticket
Request Failed |
| 677 |
Service Ticket Request
Failed |
| 678 |
Account Mapped for Logon |
| 679 |
Account could not be mapped
for logon |
| 680 |
Account Used for Logon |
| 681 |
The logon to account:
client name by: source from
workstation: workstation failed. The error code was: error |
| 682 |
Session reconnected to
winstation |
| 683 |
Session disconnected from
winstation |
Audit
Category: User and Group Management (NT); Audit account
management (Win2000).
Description:
Records the actions of an administrator in creating, changing, or deleting
a user account or a group. This also captures information on renaming,
enabling, and disabling user accounts, as well as changing passwords.
Recommended
Configuration: Enable success and failure auditing.
Event
ID |
Event
Descriptor |
| 624* |
User Account Created |
| 625 |
User Account Type Change |
| 626 |
User Account Enabled |
| 627* |
Change Password Attempt |
| 628 |
User Account password
set |
| 629 |
User Account Disabled |
| 630* |
User Account Deleted |
| 631 |
Security Enabled Global
Group Created |
| 632* |
Security Enabled Global
Group Member Added |
| 633 |
Security Enabled Global
Group Member Removed |
| 634 |
Security Enabled Global
Group Deleted |
| 635 |
Security Enabled Local
Group Created |
| 636* |
Security Enabled Local
Group Member Added |
| 637 |
Security Enabled Local
Group Member Removed |
| 638 |
Security Enabled Local
Group Deleted |
| 639 |
Security Enabled Local
Group Changed |
| 640 |
General Account Database
Change |
| 641 |
Security Enabled Global
Group Changed |
| 642* |
User Account Changed |
| 643* |
Domain Policy Changed |
| 644 |
User Account Locked Out |
| 645 |
Computer Account Created |
| 646 |
Computer Account Changed |
| 647 |
Computer Account Deleted |
| 648 |
Security Disabled Local
Group Created |
| 649 |
Security Disabled Local
Group Changed |
| 650 |
Security Disabled Local
Group Member Added |
| 651 |
Security Disabled Local
Group Member Removed |
| 652 |
Security Disabled Local
Group Deleted |
| 653 |
Security Disabled Global
Group Created |
| 654 |
Security Disabled Global
Group Changed |
| 655 |
Security Disabled Global
Group Member Added |
| 656 |
Security Disabled Global
Group Member Removed |
| 657 |
Security Disabled Global
Group Deleted |
| 658 |
Security Enabled Universal
Group Created |
| 659 |
Security Enabled Universal
Group Changed |
| 660 |
Security Enabled Universal
Group Member Added |
| 661 |
Security Enabled Universal
Group Member Removed |
| 662 |
Security Enabled Universal
Group Deleted |
| 663 |
Security Disabled Universal
Group Created |
| 664 |
Security Disabled Universal
Group Changed |
| 665 |
Security Disabled Universal
Group Member Added |
| 666 |
Security Disabled Universal
Group Member Removed |
| 667 |
Security Disabled Universal
Group Deleted |
| 668 |
Group Type Changed |
| 669 |
Add SID History (Success) |
| 670 |
Add SID History (Failure) |
Audit
Category: Security Policy Changes (NT); Audit policy change
(Win2000).
Description:
Records actions taken by an administrator who adds, modifies or deletes
system security options, user rights, or local or domain audit policies.
Recommended
Configuration: Enable success and failure auditing.
Event
ID |
Event
Descriptor |
| 608* |
User Right Assigned |
| 609* |
User Right Removed |
| 610* |
New Trusted Domain |
| 611* |
Removing Trusted Domain |
| 612* |
Audit Policy Changed |
The following
Event IDs in this category are Windows 2000 only. They are recorded only
when the IPsec Security Protocols are in use.
| 613 |
IPSec policy agent started |
| 614* |
IPSec policy agent disabled |
| 615* |
IPSEC Policy Changed |
| 616* |
IPSec policy agent agent
encountered a potentially serious failure. |
| 617* |
Kerberos Policy Changed |
| 618* |
Encrypted Data Recovery
Policy Changed |
| 619 |
Quality of Service Policy
Changed |
| 620* |
Trusted Domain Information
Modified |
Audit
Category: Restart, Shutdown and System (NT); Audit system
events (Win2000)
Description:
This category includes events that affect the availability and security
of the entire computer system. This category also captures information
on restarts and system shutdowns.
Recommended
Configuration: Enable failure auditing.
Event
ID |
Event
Descriptor |
| 512* |
Windows NT is starting
up. |
| 513* |
Windows NT is shutting
down. |
| 514 |
An authentication package
has been loaded by the Local Security Authority. |
| 515 |
A trusted logon process
has registered with the Local Security Authority. |
| 516* |
Internal resources allocated
for the queuing of audit messages have been exhausted, leading to
the loss of some audits. |
| 517* |
The audit log was cleared. |
| 518 |
A notification package
has been loaded by the Security Account Manager. |
|