Documentation forServer & Application Monitor

Windows Server 2003 Domain Controller Security

Use this SAM application monitor template to check for locked and /or disabled users, as well as Windows security events from in relation to Windows 2003 Domain Controller security.

Prerequisites

Credentials

Administrator on target server.

Component monitors

All monitors, except Locked out users and Disabled users, should return zero values. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, you should examine the Windows security log for details.

Locked out users

The number of currently locked out users. Set the threshold value according to your requirements.

Disabled users

The number of currently disabled users. Set the threshold value according to your requirements.

User Account: Creating a user account

The number of events generated from creating new user accounts.

Event ID: 624.

Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.

User Account: Deleting a user account

The number of events generated from deleting user accounts.

Event ID: 630.

Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.

User Account: Changing a user account

The number of events generated from changes that were made to security-related properties of user accounts.

Event ID: 642.

User Account: Change password attempt

The number of account password change attempts.

Event ID: 627.

This event results from a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.

User Account: Password set or reset

The number of times a user or process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.

Event ID: 628.

Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.

Logon Failure: Unknown user name or password

The number of failed login attempts with an incorrect username and/or password.

Event ID: 529.

Check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.

Logon Failure: Disabled account

The number of failed login attempts using a disabled account.

Event ID: 531.

Always investigate this event. Check Target Account Name value and Workstation Name. This event can signal attempted abuse by former internal users.

Logon Failure: Expired account

The number of failed login attempts using an expired account.

Event ID: 532.

Always investigate this event. This event can signal attempted abuse by contractors or temporary internal users.

Logon Failure: Logon type not allowed

The number of failed attempts to log on interactively with service account credentials when Group Policy settings prevent that account from interactive logon.

Event ID: 534.

Logon Failure: Account locked out

The number of failed login attempts using an account that has been locked out.

Event ID: 539.

Correlate with Event 529 to detect a pattern of continued lockouts.

Logon Failure: User account automatically locked

The number of accounts that have been automatically locked out.

Event ID: 644.

A user account has been locked out because the number of sequential failed logon attempts is greater than the account lockout limit.

Logon Failure: Time restrictions

The number of attempts to logon outside the permitted times.

Event ID: 530.

Check User Account Name and Workstation Name.

Logon Failure: Replay attack detected

The number of detected attempts by the authentication package to log on by replaying a user's credentials.

Event ID: 553.

Investigate immediately. Alternatively, this could be a sign of improper network configuration.

System: Change directory services restore mode password

The number of attempts to change the Directory Services Restore Mode password on a domain controller.

Event ID: 698.

Check Workstation IP and Account Name and investigate immediately.

System: Windows is shutting down

The number of times Windows goes to shut down.

Event ID: 513.

Usually appears before Event 512. On high-value computers, authorized personnel should restart computers in accordance with established policies. Investigate immediately when this event occurs on any server.

System: Clearing the security event logs

The number of times security logs have been cleared.

Event ID: 517.

Administrators should not clear security event logs without authorization. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

System: Changing system time

The number of times the system time has been changed.

Event ID: 520.

This action can mislead forensic investigation or provide an attacker with a false alibi. The process name is %windir %\system32\svchost.exe. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

System: Changing audit policy

The number of times audit policies have been changed.

Event ID: 612.

This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.

System: Changing the domain security policy

The number of attempts to modify a password policy or other domain security policy settings.

Event ID: 643.

Check user name of subject and correlate with authorization.