Windows Server 2008 - 2016 Domain Controller Security
You can use this SAM application monitor template to check for locked and/or disabled users and events from the Windows security log related to Windows 2008 - 2016 Domain Controller Security.
Prerequisites:
-
WinRM is installed and properly configured on the target server. See Configure WinRM polling in your SAM environment.
-
WMI access to the target server.
-
Auditing on domain controller (success and failure) must be enabled for the following items: Account Management, Logon Events, Policy Changes and System Events.
To learn how to enable auditing, see Upgrade Domain Controllers (© Microsoft Corp., available at
http://technet.microsoft.com, obtained on December 31, 2018).
Credentials
Administrator on target server
Component monitors
All monitors, except Locked out users and Disabled users, should return zero values. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, you should examine the Windows security log for details.
Locked out users
Returns the number of currently locked out users. Set the threshold value according to your requirements.
Disabled users
Returns the number of currently disabled users. Set the threshold value according to your requirements.
User Account: User account was created
Returns the number of new user accounts created.
Event ID: 4720.
Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.
User Account: Attempt to change password
Returns the number of account password change attempts.
Event ID: 4723.
This event is logged as a failure if his new password fails to meet the password policy.
This event results from a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.
User Account: Attempt to reset password
Returns the number of times a user or process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.
Event ID: 4724.
This event is logged as a failure if the new password fails to meet the password policy.
Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.
User Account: Account was disabled
Returns the number of times an account becomes disabled.
Event ID: 4725.
Always investigate this event.
User Account: Account was deleted
Returns the number of deleted user accounts.
Event ID: 4726.
Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.
User Account: Account was changed
Returns the number of times when changes were made to security-related properties of user accounts.
Event ID: 4738.
User Account: Account was locked out
Returns the number of automatically locked out accounts.
Event ID: 4740.
A user account has locked out because the number of sequential failed logon attempts is greater than the account lockout limit.
User Account: Account name was changed
Returns the number of changes to the normal logon name or the pre-Win2k logon name.
Event ID: 4781.
When an account name is changed, the SID remains the same. However the Target ID in this event indicates the new name. This is because when the operating system displays this event it evidently queries the database where the SID is stored and translates the SID to the domain\username.
A rogue administrator might change his account name or computer name seeking to cover his tracks.
Logon: Account failed to log on
Returns the number of failed login attempts with an incorrect username and/or password.
Event ID: 4625.
Check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.
Logon: Replay attack detected
Returns the number of detected attempts by the authentication package to log on by replaying a user's credentials.
Event ID: 4649.
Investigate immediately. Alternatively, this could be a sign of improper network configuration.
Logon: Attempted logon using explicit credentials
Returns a number for the following events:
- A user connects to a server or runs a program locally using alternate credentials (run as);
- A process logs on as a different account; such as when the Scheduled Tasks service starts a task as the specified user;
- With User Account Control (UAC) enabled, an end user runs a program requiring administrative authority.
Event ID: 4648.
Policy: Domain policy was changed
Returns the number of events when the computer's Security Settings\Account Policy or Account Lockout Policy was modified, either via Local Security Policy or Group Policy in the Active Directory.
Event ID: 4739.
Unfortunately, the Subject fields don't identify who actually changed the policy because this policy is not directly configured by administrators. Instead, it is edited in a group policy object which then gets applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
Policy: Kerberos policy was changed
Returns the number of times Windows detects a change to the domain's Kerberos policy. Kerberos policy is defined in GPOs linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy.
Event ID: 4713.
Unfortunately, the Subject fields do not identify who actually changed the policy because this policy is not directly configured by administrators. Instead, it is edited in a group policy object which then gets applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
Policy: System audit policy was changed
Returns the number of times audit policies have been changed either via Local Security Policy, Group Policy in Active Directory, or the audipol command.
Event ID: 4719.
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting.
If group policy was used to configure audit policy, the Subject fields do not identify who actually changed the policy. In such cases, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
This event does not necessarily indicate a problem; however, an attacker can change audit policy as part of a computer system attack. You should monitor this event on high value computers and domain controllers.
Policy: Encrypted data recovery policy was changed
Returns the number of times a computer's Security Settings\Public Key Policies\Encrypting File System data recovery agent policy was modified either via Local Security Policy or Group Policy in an Active Directory.
Event ID: 4714.
Unfortunately, the Subject fields do not identify who actually changed the policy because this policy is not directly configured by administrators. Instead, it is edited in a group policy object which then gets applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
System: Windows Firewall setting has changed
Returns the number of changes that were made to the Windows Firewall with the Advanced Services MMC console.
Event ID: 4950.
System: Windows is shutting down
Returns the number of times Windows goes to shut down.
Event ID: 4609.
On high-value computers, authorized personnel should restart computers in accordance with established policies. Investigate immediately when this event occurs on any server.
System: The system time was changed
Returns the number of times the system time has changed.
Event ID: 520.
This event indicates the old and new system times, as well as who changed the time as specified in the Subject section. It is routine to see this event, where the subject is "LOCAL SERVICE," and can probably be ignored. You may see this event logged twice in a row.
System: Service installed in the system
Returns the number of new services installed by the user as indicated in the subject.
Event ID: 4697.
Subject often identifies the local system (SYSTEM) for services installed as part of native Windows components and therefore you cannot determine who actually initiated the installation.
This is a key change control event as new services are significant extensions of the software running on a server and the roles it performs.