Windows Security Monitoring E-Book

Table of Contents

Cover

Title Page

Introduction

Who This Book Is For

What This Book Covers

How This Book Is Structured

What You Need to Use This Book

Conventions

What's on the Website

Part I: Introduction to Windows Security Monitoring

CHAPTER 1: Windows Security Logging and Monitoring Policy

Security Logging

Security Monitoring

Part II: Windows Auditing Subsystem

CHAPTER 2: Auditing Subsystem Architecture

Legacy Auditing Settings

Advanced Auditing Settings

Windows Auditing Group Policy Settings

Windows Auditing Architecture

Security Event Structure

CHAPTER 3: Auditing Subcategories and Recommendations

Account Logon

Account Management

Detailed Tracking

DS Access

Logon and Logoff

Object Access

Policy Change

Privilege Use

System

Part III: Security Monitoring Scenarios

CHAPTER 4: Account Logon

Interactive Logon

RemoteInteractive Logon

Network Logon

Batch and Service Logon

NetworkCleartext Logon

NewCredentials Logon

Account Logoff and Session Disconnect

Special Groups

Anonymous Logon

CHAPTER 5: Local User Accounts

Built-in Local User Accounts

Built-in Local User Accounts Monitoring Scenarios

Local User Account Password Modification

Local User Account Enabled/Disabled

Local User Account Lockout Events

Local User Account Change Events

CHAPTER 6: Local Security Groups

Built-in Local Security Groups

Built-in Local Security Groups Monitoring Scenarios

CHAPTER 7: Microsoft Active Directory

Active Directory Built-in Security Groups

Built-in Active Directory Accounts

Active Directory Accounts Operations

Active Directory Group Operations

Active Directory Trust Operations

Domain Policy Changes

Account Password Migration

CHAPTER 8: Active Directory Objects

Active Directory Object SACL

Active Directory Object Change Auditing

Active Directory Object Operation Attempts

Active Directory Objects Auditing Examples

CHAPTER 9: Authentication Protocols

NTLM-family Protocols

Kerberos

CHAPTER 10: Operating System Events

System Startup/Shutdown

System Time Changes

System Services Operations

Security Event Log Operations

Changes in Auditing Subsystem Settings

Per-User Auditing Operations

Scheduled Tasks

Boot Configuration Data Changes

CHAPTER 11: Logon Rights and User Privileges

Logon Rights

User Privileges

User Privileges Policy Modification

Special User Privileges Assigned at Logon Time

Logon Session User Privileges Operations

Backup and Restore Privilege Use Auditing

CHAPTER 12: Windows Applications

New Application Installation

Application Execution and Termination

Application Crash Monitoring

Windows AppLocker Auditing

Process Permissions and LSASS.exe Access Auditing

CHAPTER 13: Filesystem and Removable Storage

Windows Filesystem

File and Folder Operations

Removable Storage

Global Object Access Auditing: Filesystem

File System Object Integrity Levels

Monitoring Recommendations

CHAPTER 14: Windows Registry

Windows Registry Basics

Registry Operations Auditing

Global Object Access Auditing: Registry

Registry Key Integrity Levels

Monitoring Recommendations

CHAPTER 15: Network File Shares and Named Pipes

Network File Shares

Named Pipes

APPENDIX A: Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options

APPENDIX B: Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes

APPENDIX C: SDDL Access Rights

Object-Specific Access Rights

End User License Agreement

List of Tables

Chapter 2

Table 2-1: Legacy Auditing Categories

Table 2-2: Dependency between Legacy Audit and Advanced Audit Categories

Table 2-3: Security Event Log Access Control Policies

Table 2-4: Event Log Access Rights

Table 2-5: Security Events with Version 1 and Version 2

Table 2-6: Event Priority Level Codes

Table 2-7: Advanced Auditing Subcategories Task Category Numbers

Table 2-8: Global System Opcodes

Chapter 3

Table 3-1: Subcategories with Events That Are Dependent on the Audit Handle Manipulation Subcategory

Chapter 4

Table 4-1: Windows Logon Types

Table 4-2: Logon Session Default Integrity Level SIDs

Table 4-3: Integrity Level Labels Associated with Security Groups and Accounts

Table 4-4: Default Windows 10 (Build 1703) Security Packages (SSP/AP)

Table 4-5: Failure Reason, Status, and Sub Status Fields Values for the 4625 Event

Chapter 5

Table 5-1: SAM_DOMAIN Object Access Rights

Table 5-2: User Account UAC Flags

Table 5-3: SAM_USER Object Access Right Constants

Table 5-4: Standard Access Rights

Table 5-5: SAM_ALIAS Object Access Permissions

Table 5-6: Events to Monitor for Local User Account Creation

Table 5-7: Events to Monitor for Local User Account Deletion

Table 5-8: Events to Monitor for Local User Account Password Resets

Table 5-9: Events to Monitor for Local User Account Password Change

Table 5-10: Events to Monitor for Account Status Changes

Table 5-11: Events to Monitor for Account Lockout and Unlock Operations

Table 5-12: Event Field Default Values

Table 5-13: UAC Property Hexadecimal Values

Table 5-14: Events to Monitor for Account Change Operations

Chapter 6

Table 6-1: Built-in Local Security Groups by Microsoft Windows OS Version

Chapter 7

Table 7-1: Mappings between 4720 Event Fields and User Account Properties

Table 7-2: Active Directory Group Scope Types

Table 7-3: Active Directory Group Creation Events

Table 7-4: Active Directory Group Deletion Events

Table 7-5: Active Directory Group Modification Events

Table 7-6: Active Directory Group New Member Added Events

Table 7-7: Active Directory Group Member Removed Events

Table 7-8: Active Directory Trust Types

Table 7-9: Active Directory Trust Direction Types

Table 7-10: Active Directory Trust Attributes

Table 7-11: msDS-TrustForestTrustInfo Record Types

Table 7-12: msDS-TrustForestTrustInfo Record Flags

Chapter 8

Table 8-1: Active Directory Class SACL Editor Permissions with Associated Access Permissions

Table 8-2: Active Directory Object Auditing Permissions

Table 8-3: Validated Writes Access Rights and Corresponding Attributes

Table 8-4: CN=Schema,CN=Configuration,DC=ForestRootDomain Object SACL

Table 8-5: CN=Configuration,DC=ForestRootDomain Object SACL

Table 8-6: CN=Sites,CN=Configuration,DC=ForestRootDomain Object SACL

Table 8-7: CN=Partitions,CN=Configuration,DC=ForestRootDomain Object SACL

Table 8-8: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain Object SACL

Table 8-9: DC=domain,DC=ForestRootDomain object SACL

Table 8-10: OU=Domain Controllers,DC=domain,DC=ForestRootDomain object SACL

Table 8-11: CN=Infrastructure,DC=domain,DC=ForestRootDomain object SACL

Table 8-12: CN=Policies,CN=System,DC=domain,DC=ForestRootDomain Object SACL

Table 8-13: User Accounts and Security Groups to Which the SDPROP Mechanism Is Applicable

Table 8-14: CN=AdminSDHolder,CN=System,DC=domain, DC=ForestRootDomain Object SACL

Table 8-15: CN=RID Manager$,CN=System,DC=domain,DC=ForestRootDomain Object SACL

Table 8-16: Active Directory Value Syntax OIDs

Table 8-17: Active Directory Successful Operations Auditing Methods

Table 8-18: Active Directory Property Sets

Chapter 9

Table 9-1: 4776 Event Error Codes

Table 9-2: Secure Channel Types

Table 9-3: Kerberos TGT and TGS Tickets Encryption Types

Table 9-4: Kerberos TGT Tickets Pre-Authentication Types

Table 9-5: Event 4771 Failure Codes

Chapter 10

Table 10-1: Event 1074 Parameters.

Table 10-2: Events to Monitor for System Startup/Shutdown

Table 10-3: Security Principals with the SeTimeZonePrivilege User Right

Table 10-4: Events to Monitor to Detect System Time Changes

Table 10-5: Service Control Manager Access Permissions.

Table 10-6: Parameters for the 7036 Event

Table 10-7: System Services Operations Events

Table 10-8: Security Event Log Operations Events

Table 10-9: Pre-defined Values for [O:owner] SDDL Parameter.

Table 10-10: Auditing Categories and Subcategories IDs and GUIDs.

Table 10-11: Security Events for Changes in Auditing Subsystem Settings

Table 10-12: Security Events for Per-User Auditing Operations

Table 10-13: Security Events for Scheduled Tasks

Table 10-14: Security Events for Boot Configuration Data

Table 10-15: Changes to BCD Settings That Should Be Monitored

Chapter 11

Table 11-1: Logon Rights and Related Logon Types

Table 11-2: Special User Privileges

Chapter 12

Table 12-1: Most Common Application Uninstall Items

Table 12-2: Standard Windows 10 and Windows Server 2016 Processes

Table 12-3: Windows Process Integrity Labels

Table 12-4: Sensitive Privileges Verified by UAC

Table 12-5: Windows Process Token Types

Table 12-6: The Most Common Exit Status Field Values for the 4689 Event

Table 12-7: Status Codes for WEF Reports

Table 12-8: AppLocker Events Generated by Different Rule Types

Table 12-9: AppLocker System Path Variables

Table 12-10: Process Access Rights

Chapter 13

Table 13-1: FAT16 Compared to FAT32

Table 13-2: DACL ACE Scope

Table 13-3: File/Folder Permissions

Table 13-4: Filesystem Object Access Permissions

Table 13-5: Filesystem Object Access Reasons

Table 13-6: Recommended File-System Events to Monitor

Chapter 14

Table 14-1: Default Registry Keys and Hives

Table 14-2: Registry Key Permissions

Table 14-3: Registry Key Value Types

Table 14-4: Registry Key Value Operations

Table 14-5: Recommended Registry Events to Monitor

Chapter 15

Table 15-1: Network Share Parameters

Table 15-2: File Share Types

Table 15-3: Default Network Shares

Table 15-4: Additional File Share Parameters

Table 15-5: File Share Permissions

Appendix A

Table A-1: Kerberos Ticket Flags

Appendix B

Table B-1: Kerberos Error Codes

Appendix C

Table C-1: Generic Access Rights

Table C-2: Standard Access Rights

Table C-3: Directory Service Object Access Rights

Table C-4: Filesystem Object Access Rights

Table C-5: Registry Object Access Rights

Table C-6: Access Rights for a Process

Table C-7: Access Rights for the Service Control Manager (SCM)

Table C-8: Access Rights for a Service

Table C-9: Access Rights for Job Object

List of Illustrations

Chapter 2

Figure 2-1: Legacy auditing group policy settings

Figure 2-2: Advanced audit group policy settings

Figure 2-3: Listing auditing categories and subcategories GUIDs using the auditpol command-line tool

Figure 2-4: Audit.csv file content example

Figure 2-5: Windows Server 2016 CrashOnAuditFail blue screen

Figure 2-6: Event Viewer security event log settings

Figure 2-7: View current security event log access rights using the wevtutil tool

Figure 2-8: Auditing subsystem policy flow

Figure 2-9: Auditing subsystem event flow

Figure 2-10: Windows Server 2016 event Providers list example

Chapter 3

Figure 3-1: NTLM credential validation for a domain user account

Figure 3-2: NTLM credential validation for a local user account

Figure 3-3: Kerberos AS_REQ request

Chapter 4

Figure 4-1: Windows interactive logon flow for local user account

Figure 4-2: Windows 10 Credential Providers

Figure 4-3: LogonSessions tool output example

Figure 4-4: Windows interactive logon flow for domain user accounts

Figure 4-5: Internet Explorer basic authentication logon dialog window

Figure 4-6: IIS basic authentication request traffic capture example

Figure 4-7: Default ANONYMOUS LOGON logon session

Figure 4-8: “Network security: Allow Local System to use computer identity for NTLM” group policy setting

Chapter 5

Figure 5-1: User account creation using the Computer Management snap-in

Figure 5-2: Local user account properties

Figure 5-3: Security Account Manager database registry view.

Figure 5-4: Local user account SID extraction using PowerShell

Figure 5-5: Account lockout group policy settings

Figure 5-6: Empty 4738 event

Chapter 6

Figure 6-1: Local security groups in Security Account Manager database

Figure 6-2: The Computer Management snap-in showing local security groups

Figure 6-3: Component services security settings

Figure 6-4: Group membership enumeration event and group properties window in the Computer Manager console.

Chapter 7

Figure 7-1: Active Directory TDOs location

Figure 7-2: Active Directory trust directions

Figure 7-3: Active Directory TDO Kerberos AES encryption supportability option

Figure 7-4: Password migration option in ADMT

Chapter 8

Figure 8-1: Active Directory schema partition view in adsiedit.msc

Figure 8-2: Active Directory user account SACL example

Figure 8-3: Active Directory SACL ACE example

Figure 8-4: Child object creation and deletion permissions example for a user account

Figure 8-5: Active Directory Extended-Rights container

Figure 8-6: User's account extended rights

Figure 8-7: Dssec.dat file configuration items for the

user

class

Figure 8-8: CN=Deleted Objects content view using ldp.exe tool

Figure 8-9: Search for Active Directory object by schemaIDGUID attribute value

Figure 8-10: Search for Active Directory property set associated properties

Chapter 9

Figure 9-1: Challenge-response for authentication using a local account on the destination host

Figure 9-2: SAM registry key for user accounts

Figure 9-3: LM hash generation process

Figure 9-4: LM challenge-response string generation process

Figure 9-5: NTLM hash-generation process

Figure 9-6: NTLMv2 OWF generation process

Figure 9-7: NTv2 Response string generation process

Figure 9-8: LMv2 response string generation process

Figure 9-9: NTLMv2 Session Response generation process

Figure 9-10: Challenge-response for authentication using a local account on the destination host

Figure 9-11: Challenge-response for domain accounts

Figure 9-12: Cross-domain NTLM-family challenge-response

Figure 9-13: Kerberos TGT issuing process

Figure 9-14: Klist tgt command output example

Figure 9-15: Kerberos TGS ticket issuing process

Chapter 10

Figure 10-1: System service properties.

Chapter 12

Figure 12-1: Windows Server 2016 software manager

Figure 12-2: Windows software manager application uninstall item

Figure 12-3: Registry auditing settings for new program installation monitoring

Figure 12-4: Registry auditing settings for application removal monitoring

Figure 12-5: NTFS auditing settings for application removal monitoring in Program Files folders

Figure 12-6: NTFS auditing settings for unsuccessful

Execute

access attempts

Figure 12-7: Win32 FileTime object conversion using the FromFileTime() function

Figure 12-8: Problem Reports page in the Control Panel

Figure 12-9: AppLocker enforcement mode configuration interface

Figure 12-10: Process Explorer DACL modification interface

Chapter 13

Figure 13-1: Windows filesystem object security descriptor editor

Figure 13-2: Filesystem object's DACL ACE

Figure 13-3: Block inheritance dialog window

Figure 13-4: Directory's auditing settings (SACL)

Figure 13-5: Disk volume label translation using the WinObj tool

Figure 13-6: View Global Object Access Auditing settings for files and folders using the

auditpol.exe

command

Figure 13-7: Example of

icacls

tool

Chapter 14

Figure 14-1: Viewing Windows registry using Windows Registry Editor

Figure 14-2: Registry key DACL ACE

Figure 14-3: View Global Object Access Auditing settings for registry keys using auditpol.exe command

Figure 14-4: Regil output for registry key integrity level

Chapter 15

Figure 15-1: Network shares list

Figure 15-2: Shared Folders management snap-in

Figure 15-3: File share session negotiation steps

Figure 15-4: List of currently active named pipes by pipelist64.exe tool

Figure 15-5: Pipesec.exe tool output for the lsass named pipe

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

iii

iv

v

vii

ix

xi

xxix

xxx

xxxi

xxxii

xxxiii

1

3

4

5

6

7

8

9

11

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

81

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

589

590

591

592

593

594

595

596

597

598

599

600

601

E1

Windows® Security Monitoring

Scenarios and Patterns

Introduction

In this book I share my experience and the results of my research about the Microsoft Windows security auditing subsystem and event patterns. This book covers the Windows Security auditing subsystem and event logs for Windows systems starting from Windows 7 through the most recent Windows 10 and Windows Server 2016 versions.

Many IT Security/Infrastructure professionals understand that they should know what is going on in their company's infrastructure—for example, is someone using privileged accounts during nonworking hours or trying to get access to resources he or she shouldn't have access to? Looking for activities like these is critical to all organizations. To help with this, this book provides technical details about the most common event patterns for Microsoft Windows operating systems. It is a great source of information for building new detection methods and improving a company's Security Logging and Monitoring policy.

The primary goal of this book is to explain Windows security monitoring scenarios and patterns in as much detail as possible. A basic understanding of Microsoft Active Directory Services and Microsoft Windows operational systems will be helpful as you read through the book.

The following areas are covered:

Implementation of the Security Logging and Monitoring policy

Technical details about the Windows security event log subsystem

Information about most common monitoring event patterns related to operations and changes in Microsoft Windows operating systems

The following software and technologies are covered:

Microsoft Windows security event logs

Microsoft Windows security auditing subsystem

Microsoft Windows Active Directory Services

Microsoft AppLocker

Microsoft Windows event logs (Application, System, NTLM, and others)

Microsoft Windows 7, 8, 8.1, 10

Microsoft Windows Server 2008 R2, 2012, 2012 R2, 2016

Microsoft PowerShell

Microsoft Windows Sysinternals tools

Third-party tools

You will find detailed explanations for many event patterns, scenarios, technologies, and methods, and it is my hope that you will find that you've learned a lot, and will start using this book every day. This book is intended as a reference that you will return to many times in your career.

Who This Book Is For

This book is best suited for IT security professionals and IT system administrators. It will be most valuable for IT security monitoring teams, incident response teams, data analytics teams, and threat intelligence experts.

The best way to use this book is as a reference and source of detailed information for specific Windows auditing scenarios.

What This Book Covers

One of the main goals of this book is to help you create a Security Logging and Monitoring (SL&M) standard for your company. At the beginning of the book I cover what this standard is about, which sections it has, and discuss best practices for creating this document.

Before jumping into the world of event logs, you need to understand how the Windows Auditing Subsystem works and which components and settings belong to this system. I cover security best practices for the Windows security auditing subsystem, its components, and internal data flows.

There are multiple event logs in Windows systems besides the Security log, and many of these logs contain very useful information. It's important to know which subsystems have which event logs, the purpose of these event logs, and the type of information collected in these logs. This information is also present in this book.

I think the most interesting part of the book deals with security monitoring scenarios and patterns. Based on these scenarios, security managers, analysts, engineers, and administrators will be able to improve security monitoring policies and build new or improve existing detection methods.

How This Book Is Structured

This book consists of 15 chapters and three appendixes. The first three chapters cover general information about the Windows auditing subsystem and security monitoring policy. The remaining chapters go deeper in to different monitoring scenarios and event patterns.

Chapter by chapter, this book covers:

Windows Security Logging and Monitoring Policy (

Chapter 1

)

—This chapter guides you through the sections of the Security Logging and Monitoring (SL&M) standard and provides the basic information you need to create your own version of it.

Auditing Subsystem Architecture (

Chapter 2

)

—In this chapter you will find information about Legacy Auditing and Advanced Auditing settings, Windows auditing group policy settings, auditing subsystem architecture, and security event structure.

Auditing Subcategories and Recommendations (

Chapter 3

)

—In this chapter you will find descriptions for each Advanced Auditing subcategory and recommended settings for domain controllers, member servers, and workstations.

Account Logon (

Chapter 4

)

—This chapter contains information about Windows logon types and the events generated during each of them.

Local User Accounts (

Chapter 5

)

—In this chapter you will find information about different built-in local user accounts on Microsoft Windows operating systems and specific monitoring scenarios for the most important operations/changes done to local user accounts.

Local Security Groups (

Chapter 6

)

—In this chapter you will learn about different scenarios related to local security groups, such as security group creation, deletion, and modification, and so on.

Microsoft Active Directory (

Chapter 7

)

—In this chapter you will find information about the most common monitoring scenarios for Active Directory, such as user or computer account creation, operations with groups, operations with trusts, and so on.

Active Directory Objects (

Chapter 8

)

—This chapter contains detailed information about monitoring Active Directory changes and operations with objects, such as group policy creation, organization unit modification, and so on.

Authentication Protocols (

Chapter 9

)

—In this chapter you will find information about how the LM, NTLM, NTLMv2, and Kerberos protocols work and how to monitor the most common scenarios involving these protocols.

Operating System Events (

Chapter 10

)

—This chapter contains information about the different system events that might indicate malicious activity performed on the system.

Logon Rights and User Privileges (

Chapter 11

)

—In this chapter you will find detailed information about how to monitor logon rights and user privileges policy changes, user privileges use, and use of backup and restore privileges.

Windows Applications (

Chapter 12

)

—It is important to monitor the use of applications on the host, activities such as application installation, removal, execution, application crushes, application block events by the AppLocker component, and so on. In this chapter you will find detailed information about monitoring these scenarios and more.

Filesystem and Removable Storage (

Chapter 13

)

—This chapter is probably one of the most interesting chapters in the book, because it covers some of the most common questions you'll have or hear during incident investigation procedures: Who deleted the file? Who created the file? How this file was accessed? Using which tool/application?

Some of these questions are easy to answer, but some of them are not. In this chapter you will find information about monitoring recommendations for the most common scenarios related to Windows filesystem and removable storage objects.

Windows Registry (

Chapter 14

)

—This chapter contains information about Windows registry operations and monitoring scenarios.

Network File Shares and Named Pipes (

Chapter 15

)

—In this chapter you will find information about monitoring scenarios for actions related to network file shares and named pipes.

What You Need to Use This Book

This book requires that you have Windows 10 (build 1511 or higher) installed to open the .evtx files included in this book's download materials.

Conventions

To help you get the most from the text and keep track of what's happening, we've used a number of conventions throughout the book.

NOTE

Notes, tips, hints, tricks, and asides to the current discussion look like this.

As for styles in the text:

We

italicize

new terms and important words when we introduce them.

We show keyboard strokes like this: Ctrl+A.

We show filenames, URLs, and code within the text like so:

persistence.properties

.

We present code and event listings in two different ways:

We use a monofont type with no highlighting for most code and event examples.

We use bold type to emphasize code or events of particularly importance in the present context.

What's on the Website

All of the event examples used in this book are available for download at www.wiley.com/go/winsecuritymonitoring as .evtx files. These files can be opened by the built-in Windows 10 or Windows Server 2016 Event Viewer application. You will find references to these event log files in each section of every chapter that has event samples in it.

Part IIntroduction to Windows Security Monitoring

In This Part

Chapter 1: Windows Security Logging and Monitoring Policy

CHAPTER 1Windows Security Logging and Monitoring Policy

The purpose of the Security Logging and Monitoring (SL&M) policy is to ensure the confidentiality, integrity, and availability of information by specifying the minimum requirements for security logging and monitoring of company systems.

It is recommended to have such a policy defined and published in order to standardize security logging and monitoring requirements.

This chapter guides you through the sections of the SL&M policy and provides basic information for creating your own version.

Security Logging

This section outlines the requirements for what needs to be logged and how logs need to be managed.

Security logs provide vital information about system events that may, when correlated with other events or used independently, indicate a breach or misuse of resources. When configured and managed properly, logs are key in establishing accountability and attribution for any event. They provide answers to the critical questions about security events: who is involved, what happened, when and where it happened, and how it happened.

Companies should ensure that information passing through their systems, including user activities such as web sites visited and servers accessed, is logged, reviewed, and otherwise utilized.

Implementing the recommendations in this section can mitigate the risk of an attacker's activities going unnoticed and enhance a company's ability to conclude whether an attack led to a breach.

Security Logs

Information systems should enable and implement logging, also referred to as audit logging. Activities that should be logged may include the following:

All successful and unsuccessful logon attempts

Additions, deletions, and modifications of local and domain accounts/privileges

Users switching accounts during an active session

Attempts to clear audit logs

Activity performed by privileged accounts, including modifications to system settings

Access to restricted data additions, deletions, and modifications to security/audit log parameters

User account management activities

System shutdown/reboot

System errors

New system service creation

Application shutdown/restart

Application errors/crashes

Process creation/termination

Registry modification(s)

Local security policy modifications

GPO-based security policy modifications

Use of administrator privileges

File access

Critical process manipulation (

LSASS.exe

)

System corruption (for example, audit pipeline failure, LPC impersonation, and so on)

All of these items are discussed in more detail in this book.

You should also think about where and how to store system events that are used to detect system attack attempts. These events also represent evidence for incident follow-up.

System Requirements

Here are the basic requirements for monitoring an information system. An information system should:

Initiate session audits at system start-up. It should provide the capability to log all events related to an account's sessions, and the capability to remotely access these events.

Utilize methods to ensure auditing services continue to run or restart in the event of a system failure or unexpected stop.

Provide an alternate audit capability in the event of a failure in primary audit capability.

Employ methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.

Preserve the identity of individuals in case of cross-organizational audit trails.

PII and PHI

Information systems handling Personally Identifiable Information (PII) and Protected Health Information (PHI) should also log the following information about the data:

Information type

Date

Date when operation with the data has been performed

Time

Time when operation with the data has been performed

Identities of the receiving party

Identities of the releasing party

Availability and Protection

Logging should be active at all times and protected from unauthorized access, modification, and accidental or deliberate destruction on all company information resources.

Configuration Changes

Company employees should not disable audit logs or make system configuration changes that conflict with approved baselines or services without prior authorization from the internal information security team. All changes must create auditable events themselves for tracking purposes.

Secure Storage

Logs should be stored in such a way that they cannot be tampered with, or that tampering can be detected and corrected. You cannot trust the log if you do not control the log's integrity.

Access to view the logs should be limited to only those staff members with a job responsibility to analyze the log data. This requirement applies to local logs as well as centralized storage.

Security log storage should have adequate capacity and mechanisms to recycle logs, ensuring that logs will not exhaust the available storage space in an unreasonable amount of time.

Centralized Collection

The company's information security team should provide for the central collection of security logs from systems throughout the environment.

The centralized log collection and analysis tool should meet the following requirements:

The log management infrastructure (central log collection system) should have built-in resilience to ensure high availability.

Monitoring controls should be implemented to ensure that the log management infrastructure (central log collection system and agent or agentless host/devices) is available at all times, and any issues that impact the logging infrastructure must generate an alert for the operational security team to review and respond.

Security logs should be protected both in transit and at rest with approved secure transmission protocol and encryption technologies.

Centralized logging servers should be considered critical assets and be protected in accordance with corporate standards for confidential information. Systems that cannot be configured to log to a centralized or consolidated log system should have appropriate access controls for access to log data.

These requirements can be achieved using the built-in Windows Event Forwarding (WEF) feature, which is included in all Windows operating systems starting from Windows XP SP2 and Windows Server 2003 SP1. WEF is out of scope for this book, but there is a lot of information about this feature on the Internet.

Backup and Retention

An event log retention policy should be defined for both local and centralized collection storage. For example, the company should retain security logs for at least 30 days short term in the Security Information and Event Manager (SIEM) and 90 days long term in the long-term storage. Company policy, and legal and regulatory requirements, should be taken into consideration when defining the policy.

Chapter 2 contains detailed information about the Microsoft Windows auditing subsystem's group policy settings, which allow you to specify security event log maximum size, retention policy, event log file location, and so on.

Periodic Review

Security analysts should regularly review and analyze the collected logs according to a documented and approved schedule to ensure relevancy and adequacy of collected information. Out of date, deprecated, redundant, or superfluous logs should be removed from the central collection system to ensure positive system performance and to reduce the occurrence of false positives.

Security Monitoring

This section describes what needs to be monitored. It includes requirements for monitoring of logs, intrusion detection systems, and internal communications, as well as mandates for performance review of monitoring systems.

Implementing the recommendations in this section reduces the risk of failure to monitor for security events. Such failure can result in unsuccessful detection or slowed reaction to potential intrusions or misuse of corporate systems.

Companies should implement security monitoring processes and technologies to ensure timely detection and response to security events.

Security logs collected from disparate information systems must be aggregated and analyzed in a timely manner to quickly detect possible unauthorized user activities, misuse, compromise, or attack.

Standard operating procedures should be established and followed by the Security Operations staff to perform analysis and detection activities including, but not limited to, the following:

Perform monitoring of company's systems for incidents

Identify and document incidents as they occur

Classify incidents into common incident categories, accounting for the fact that some incidents may fit into more than one category

Analyze and prioritize incidents based on criticality and severity

Notify appropriate parties (internal or external)

Communications

Electronic communication and all content, voicemail, and any other data of any kind stored or transmitted by company-owned or leased equipment, is the property of the company, and the company may access, monitor, intercept, and/or retain this data at any time without further notice.

Internal communications monitoring should include e-mail, tracking the websites that personnel visit, monitoring internal chat groups, social networks and newsgroups, reviewing material downloaded or uploaded, and voice communications.

Audit Tool and Technologies

Security monitoring and auditing tools and technologies (for example, intrusion detection systems, network scanning tools, and so on) should be deployed and used to monitor company assets. Without proper automation, security monitoring may be a really hard task.

Network Intrusion Detection Systems

Network-based Intrusion Detection Systems (NIDS) are designed to provide monitoring and support of network intrusion detection across a variety of platforms and technologies and should not be used for any other purpose.

The department charged with ensuring information security should be responsible for approving all Network Intrusion Detection Systems for use on managed networks and systems.

Host-based Intrusion Detection Systems

Host-based Intrusion Detection System (HIDS) should be capable of performing file integrity monitoring for critical content files, system files, and configurations, and alerting when attempts to modify the system are detected.

Host-based intrusion detection capabilities should be deployed on all the information resources where sensitive data is stored and potential for damage is high.

HIDS should be configured to perform file integrity comparisons to known good versions on a regular schedule.

Data fields logged by host-based IDS may include the following:

Timestamp (date and time)

Event or alert type

Rating (priority, severity, impact, confidence, and so on)

Event details specific to the type of event (IP address, port information, application information, filenames and paths, and user accounts)

System Reviews

The department charged with ensuring for information security should perform periodic reviews to ensure the company's monitoring systems are successful in detecting unauthorized attempts to access information resources.

Reporting

Any computer security event deemed suspicious or malicious and critical or high priority should be reported immediately with all relevant details and logs.

Part IIWindows Auditing Subsystem

In This Part

Chapter 2: Auditing Subsystem Architecture

Chapter 3: Auditing Subcategories and Recommendations

CHAPTER 2Auditing Subsystem Architecture

The Windows auditing subsystem was introduced in the earliest Microsoft Windows versions. It provides the ability to report auditing events for kernel- and user-mode applications and components.

In this chapter you will find information about legacy and advanced auditing settings, Windows auditing group policy settings related to auditing, auditing subsystem architecture, and security event structure.

Legacy Auditing Settings

Legacy auditing was the only available security auditing mechanism on pre-Vista Windows systems. It was not as agile as the new advanced auditing introduced in Windows Vista, but still was able to perform its function.

Legacy auditing settings can be configured using Windows group policy settings. No built-in command-line tools, such as auditpol, were available in the pre-Vista systems for configuring local auditing settings. But the auditpol tool was a part of the Windows 2000, XP, and 2003 resource kits. The auditusr command-line tool was included in pre-Vista operating systems, but it was a tool for configuring per-user auditing settings only. See Chapter 10 for more information about per-user auditing.

Group policy settings for legacy auditing categories are located under the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ node. You can view and edit local group policy settings using the gpedit.msc management console. Figure 2-1 shows an example of legacy auditing group policy settings.

Figure 2-1: Legacy auditing group policy settings

Table 2-1 shows available legacy auditing categories and their descriptions.

Table 2-1: Legacy Auditing Categories

CATEGORY NAME

DESCRIPTION

Audit account logon events

Audit NTLM-family and Kerberos protocols credential validation operations. On domain controllers this category enables Kerberos AS_REQ, TGS_REQ, and AP_REQ requests auditing.

Audit account management

Audit user, computer, security group, distribution group, and Authorization Manager (AzMan) application group management operations. This category also provides monitoring of password hash import operations during Active Directory account migration and Password Policy Check API calls.

Audit directory services access

Audit Active Directory object modifications, object access attempts, and replication operations.

Audit logon events

Audit account logon, logoff, and lockout events. Provides detailed auditing for IPsec modes. Audit logon events for members of special groups (see

Chapter 4

for more details) and special privileges owners (

Chapter 11

). Audit workstation lockouts, terminal session connections, and screensaver operations. Also enables auditing on Network Policy Servers (NPS).

Audit object access

Audit filesystem, registry, kernel objects, handles, file shares, and filtering platform operations. Also enables auditing for Active Directory Certificate Services role operations.

Audit policy change

Audit authorization, authentication, filtering platform, audit and Windows firewall policy changes.

Audit privilege use

Audit use of sensitive and nonsensitive privileges.

Audit process tracking

Audit process creation, termination, and Data Protection API (DPAPI) operations.

Audit system events

Audit security-related changes and operations, IPsec driver events, Windows firewall service and driver events, Windows startups, and system time changes.

Auditing settings are stored in the Local Security Authority (LSA) policy database. The LSA policy database is located in the HKLM\SECURITY\Policy registry key. Auditing settings are stored in the Default value of the HKLM\SECURITY\Policy\PolAdtEv registry key. These settings can be configured locally or through Active Directory group policy, if the machine is joined to the domain.

Events generated in the Windows security event log by legacy auditing categories have ID numbers that are between 500 and 900. Legacy auditing events are available only in pre-Vista Windows operating systems. In more recent Windows versions, legacy events are replaced by new events with event ID numbers between 4000 and 7000.

Legacy auditing policies can be set to one of the following states:

Success:

Only

Audit Success

events are generated.

Failure:

Only

Audit Failure

events are generated.

Success, Failure:

Both

Audit Success

and

Audit Failure

events are generated.

No auditing:

In legacy audit policy settings, “No auditing” is not the same as “No Auditing” in advanced audit policy settings. In the legacy audit settings, No auditing means “Not Configured.” That means that you have not set a value for that audit setting. For example, if you set a setting to Success and later switch to “No auditing,” the value will still be the same as before switching to “No auditing” (that is, it will be Success).

Legacy auditing settings “tattoo” the registry, which means that they are applied directly to auditing subsystem registry keys, not to temporal group policy keys.

This book does not go any deeper into legacy auditing settings and events because modern Windows systems have advanced auditing settings available, which allows for configuring more granular auditing settings using subcategories. There is no real value in using legacy audit settings on modern Windows versions. Later in this book you will find information about relationships between legacy and advanced auditing settings on modern Windows systems and how they affect each other.

Advanced Auditing Settings

Prior to Windows Server 2008 and Windows Vista it was difficult to exclude unneeded events from auditing. This was because auditing included nine categories and, for example, if you enabled Object Access auditing it would start to collect data for registry, file system, file share, and other object operations. However, in most cases you don't need to audit all of those.

Advanced audit introduced subcategories for each of the nine legacy categories, and you can configure them to include or exclude security events. The general category names were also changed in comparison with legacy auditing.

Advanced audit settings can be configured using group policy settings for operating system versions starting from Windows 7 or Windows Server 2008 R2. Auditing settings can also be configured using the built-in auditpol application, which was included in all operating systems by default starting from Windows Vista and Windows Server 2008. The auditpol tool is the only available option to configure advanced audit settings on the Windows Vista and Windows Server 2008 operating systems. The auditpol tool is the only method to directly read audit settings from the Local Security Authority database.

Group policy settings for advanced audit categories were first introduced for Windows 7 and Windows Server 2008 R2 systems. They are located under the Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ node. Figure 2-2 shows an example of advanced audit group policy settings.

Figure 2-2: Advanced audit group policy settings

You will find detailed explanations of each advanced audit subcategory and recommendations for workstations, servers, and domain controllers in Chapter 3.

Advanced audit subcategories can be set to one of the following states:

Success:

Only

Audit Success

events are generated.

Failure:

Only

Audit Failure

events are generated.

Success, Failure:

Both

Audit Success

and

Audit Failure

events are generated.

No Auditing:

Auditing for the subcategory is disabled. No events will be generated.

Not Configured:

No changes are made to the advanced audit policy. The host will use previously applied settings.

Each advanced audit category and subcategory has its own global unique identifier (GUID). These GUIDs are consistent among all Microsoft Windows versions. All GUIDs have the following format:

Category:

XXXXXXXX

-797A-11D9-BED3-505054503030

, where

XXXXXXXX

is different for each category.

Subcategory:

XXXXXXXX

-69AE-11D9-BED3-505054503030

, where

XXXXXXXX

is different for each subcategory.

To view all GUIDs for categories and subcategories use the following command in the Administrator ➪ Command Prompt window: auditpol /list /subcategory:* /v. Figure 2-3 shows an example of the auditpol /list command output.

Figure 2-3: Listing auditing categories and subcategories GUIDs using the auditpol command-line tool

The Windows group policy editor (gpedit.msc) has the ability to import and export advanced audit policy settings. Import and export menu items are available in the context menu of the Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ node.

The following sections cover different methods for configuring advanced audit settings on a machine.

Set Advanced Audit Settings via Local Group Policy

If advanced audit settings are changed in the local group policy, the following file is modified:

%WINDIR%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv

If no advanced audit settings were applied to the system before, the audit.csv file will be created. The \grouppolicy folder is hidden. To view it in the Windows File Explorer, enable the “Show hidden files, folders, and drives” option in the Folder Options.

Figure 2-4 shows an example of the audit.csv file content.

Figure 2-4: Audit.csv file content example

The Machine Name column should always be empty.

The Inclusion Settings column shows which auditing settings are set for a specific subcategory.

The Exclusion column was designed for use with per-user auditing policies, but because per-user policies don't have group policy settings to configure them, this column is always empty.

The Setting Value column shows a numeric value associated with the Inclusion Setting column value:

0:

No Auditing

1:

Success

2:

Failure

3:

Success and Failure

After the audit.csv file is created/modified, it is merged with the local advanced audit settings in the Local Security Authority (LSA) policy database. LSA policy database is located in the HKLM\SECURITY\Policy registry key. Auditing settings are stored in the Default value of the HKLM\SECURITY\Policy\PolAdtEv registry key. The existing setting for the subcategory will be replaced by the settings from the local group policy, except those set to “Not Configured” in group policy.

Set Advanced Audit Settings via Domain Group Policy

Advanced audit settings modification using domain group policy is similar to the process for local group policy that was explained in the previous section. After domain policy is applied, group policy settings are copied locally to the %WINDIR%\GroupPolicy\DataStore\0\sysvol\DOMAIN_NAME\Policies\ folder. Each group policy has its own folder in this directory, named by its group policy GUID. The group policy folder, if any advanced audit settings were enabled, has a group_policy_folder\machine\microsoft\windows nt\audit\audit.csv file in it. Here is an example of the audit.csv path for one of the group policies applied to the machine in the lab domain:

C:\Windows\System32\GroupPolicy\DataStore\0\sysvol\hqcorp.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\Audit\audit.csv

The audit.csv file has the same structure as discussed in the “Set Advanced Audit Settings via Local Group Policy” section.

After the audit.csv file is created/modified, it is also merged with the local advanced audit settings in the Local Security Authority (LSA) policy database. The process is the same as for local group policy.

Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database

The only way to modify advanced audit settings in the LSA Policy Database using built-in Windows tools is to use auditpol, which directly communicates with it.

To modify auditing settings for a subcategory, you need to execute the following command:

auditpol /set /subcategory:SUBCATEGORY_GUID_OR_NAME {options}

This command should be executed in an elevated command-line processor, not PowerShell. You already know how to find a GUID for a subcategory. The {options} section can have two parameters:

/success:

Enable success auditing setting

/failure:

Enable failure auditing setting

These two parameters may have one of the following two values assigned:

enable:

Enable setting

disable:

Disable setting

For example, if you need to enable Success auditing and disable Failure auditing (assuming it was enabled) for the Logoff subcategory, you may use one of the following commands:

auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable /failure:disable

auditpol /set /subcategory:"Logoff" /success:enable /failure:disable

It is also possible to change settings for multiple subcategories by listing them one after another, separated by a comma: /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030},{0CCE9240-69AE-11D9-BED3-505054503030}. This works only for GUIDs, not for subcategory names.

Read Current LSA Policy Database Advanced Audit Policy Settings

The only way to get current advanced audit settings directly from a local LSA Policy Database using built-in Windows tools is to use the auditpol tool, which directly queries information from it.

You can use the following command to get current settings:

auditpol /get /category:*

Advanced Audit Policies Enforcement and Legacy Policies Rollback

The new “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” group policy setting was introduced for the Windows Vista and Windows Server 2008 operating systems, which enforce the use of new advanced audit subcategories instead of legacy categories.

This group policy setting is located under the ComputerConfiguration\Windows Settings\Security Settings\Local Policies\Security Options\ group policy path. If it is enabled, legacy audit settings do not affect advanced audit subcategories settings. This group policy setting is enabled by default. It modifies the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key's scenoapplylegacyauditpolicy value.

Possible values:

0:

Disabled

1:

Enabled

Table 2-2 contains a dependency scheme between legacy and advanced audit categories for operating systems starting from Windows Vista and Windows Server 2008.

Table 2-2: Dependency between Legacy Audit and Advanced Audit Categories

LEGACY CATEGORY

ADVANCED CATEGORY

Audit account logon events

Account Logon

Audit account management

Account Management

Audit directory services access

DS Access

Audit logon events

Logon/Logoff

Audit object access

Object Access

Audit policy change

Policy Change

Audit privilege use

Privilege Use

Audit process tracking

Detailed Tracking

Audit system events

System

For example, if the “Audit policy change” category is enabled for Success in legacy audit settings and some additional requirements (discussed in the following section) are met to permit the use of legacy settings, then all subcategories under the Policy Change advanced category will be enabled for Success auditing.

Switch from Advanced Audit Settings to Legacy Settings

Two main requirements must be satisfied to switch from advanced audit back to legacy audit:

Disable the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” group policy setting.

Delete the

Audit.csv

file in the local group policy folder (

%WINDIR%\system32\grouppolicy\machine\microsoft\windows nt\audit\

).

THE “NO AUDITING” SETTING IN LEGACY AND ADVANCED AUDIT

Keep in mind that the “No auditing” setting in the legacy audit group policy settings is equal to the “Not Configured” setting in advanced audit—it does not change any policy. That is why after you switch back to the legacy audit settings and set any legacy audit category to “No auditing,” your computer will still have the previous settings applied. Using the legacy audit group policy setting it is not possible to set any category and nested subcategories to the state when auditing is completely disabled.

If you need to set a subcategory to the “disabled state”, you can use one of the following options:

Use the advanced audit “No Auditing” group policy setting value.

Use the

auditpol /set /subcategory:SUBCATEGORY_GUID_OR_NAME /failure:disable /success:disable

command to disable success and failure auditing for a specific subcategory.

Use the

auditpol /clear

command to set all subcategories to the “disabled” state.

Switch from Legacy Audit Settings to Advanced Settings

To switch from legacy audit back to advanced audit, perform the following steps:

Enable the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” group policy setting.

The

Audit.csv

file in the local group policy folder (

%WINDIR%\system32\grouppolicy\machine\microsoft\windows nt\audit\

) must exist. It can even be an empty file.

Windows Auditing Group Policy Settings

Multiple additional group policy settings are related to the Windows auditing subsystem. In this section you will find detailed information about them.

Manage Auditing and Security Log

The “Manage auditing and security log” group policy setting controls the SeSecurityPrivilege user privilege assignment . If an account or group is added to this group policy setting, the account or group members will have SeSecurityPrivilege user privilege on the host.

SeSecurityPrivilege allows managing the security event log, which allows viewing the log, changing the size of the log, clearing the log, and so on. It also allows viewing or setting an object's System Access Control List (SACL). SACL is used to store auditing settings for an object. The object in this case is any auditable object, such as registry keys, files or folders, processes, threads, and so on.

This group policy setting is located at the following path: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\.

See Chapter 11 for more information about user rights and privileges.

Generate Security Audits

The “Generate security audits” group policy setting controls the SeAuditPrivilege user privilege assignment to the accounts on the machine.

SeAuditPrivilege allows adding records to the security event logs. This privilege is required to use the ReportEvent() function from AdvApi32.dll. Event reporting functions are discussed in the “Windows Auditing Event Flow” section later in this chapter.

This group policy setting is located at the following path: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\.

Security Auditing Policy Security Descriptor

Security auditing policy has its own security descriptor that controls access to it. To view it, use the auditpol /get /sd command. The security descriptor is stored as a Security Descriptor Definition Language (SDDL) string. It contains only Discretionary Access Control List (DACL) Access Control Entries (ACEs) (D: section). DACL contains information about access permissions set on an object. See Chapter 10 for more information about SDDL. Here is an example of an audit policy security descriptor for Windows 10:

D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)

A:

Allow access ACE type

DCSWRPDTRC:

DC:

Delete All Child Objects

SW:

All Validated Writes

RP:

Read All Properties

DT:

Delete Subtree

RC:

Read Permissions

BA:

BUILTIN\Administrators group

SY:

Local System account

By default, the preceding security descriptor is set for the local security auditing policy on all Windows versions starting with Windows Vista.

You can set the security descriptor for the local auditing policy using the auditpol /set /sd:DESCRIPTOR_SDDL_STRING command.

To view or set the security descriptor for the local auditing policy using the auditpol tool, the account must have the SeSecurityPrivilege.

There is no group policy setting you can use to set the local auditing policy security descriptor. It is stored in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy, with a value of AuditPolicySD.

Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits”

If this group policy setting is enabled, it causes the system to stop if a security audit event cannot be logged for any reason. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them.

This policy modifies the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, with a value of crashonauditfail. Possible values are:

0:

Disabled

1:

Enabled

It is also possible to modify the crashonauditfail value using the auditpol command:

Disable:

auditpol /set /option:CrashOnAuditFail /value:disable

Enable:

auditpol /set /option:CrashOnAuditFail /value:enable

If the crashonauditfail registry key value is modified, the event shown in Listing 2-1 is generated in the security event log.

Listing 2-1: ID 4906: The CrashOnAuditFail value has changed.

Log Name: Security

Source: Security-Auditing

Level: Information

New Value of CrashOnAuditFail: 1

NOTE

The event described in Listing 2-1 is available on the book's website, in theCrashOnAuditFail.evtxfile.

The 4906 event shows the new value for the crashonauditfail registry key value.

If, for example, crashonauditfail is set to 1 and the security event log retention method is set to “Do not overwrite events ( Clear logs manually ),” and the event log reaches its maximum size, then the system will stop and the screen shown in Figure 2-5 will appear (Windows Server 2016).

Figure 2-5: Windows Server 2016 CrashOnAuditFail blue screen

Stop code 0xc0000244 has the following meaning: {Audit Failed} An attempt to generate a security audit failed.

The group policy setting path is Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.

Group Policy: Protected Event Logging

Protected Event Logging is a new feature that allows Windows components and applications to encrypt their event logs using the Cryptographic Message Syntax (CMS) standard and asymmetric cryptography. For now the only application that supports protected event logging in Windows is PowerShell v5 and higher. Using this feature, PowerShell can write encrypted events in the PowerShell event log.

To enable this feature, you need to provide a certificate with a public key that will be used for encryption. Then you can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt the event log.