Table of Contents
Introduction ................................................................................................................................................... 3
Overview ....................................................................................................................................................... 4
Major Security Events and Policy Changes .................................................................................................. 6
Major Security Events and Policy Changes Active Directory and Member Server................................ 6
Active Directory and Member Server Compliance Events of Interest ........................................................... 8
Active Directory General Object Changes ................................................................................................ 8
Active Directory and Local Server Group Member Additions ................................................................... 9
Active Directory and Local Server Group Member Deletions ................................................................. 11
Active Directory and Local Users New or Enabled ................................................................................. 12
Active Directory and Local Users Deleted or Disabled ........................................................................... 13
Active Directory Group Policy Change .................................................................................................... 13
Active Directory Permission Changes ..................................................................................................... 15
Active Directory and Local User Account Lockouts and Password Resets ............................................ 16
Active Directory and Local Server Other Users, Groups and Computers Changes ............................ 17
Authentication and Logons Compliance Events of Interest ........................................................................ 19
Domain Account Authentication .............................................................................................................. 19
Domain Account Authentication Failure Analysis ................................................................................... 20
User Logons by Server Type .................................................................................................................. 21
Introduction
This document, and the accompanying document, SecureWorks Audit Policy Configuration, is designed
to provide you with greater insight into the Windows logs that need to be collected for security, as well as
compliance purposes and how to properly configure your Windows system to log this information. This
document is the result of extensive research into the generally accepted best practices for Windows log
monitoring performed in conjunction with SecureWorks team of Audit Experts and recognized Windows
expert Randy Smith, founder of the Monterey Technology Group and author of Ultimate Windows
Security.
The information contained throughout this document will provide you with event IDs and information
necessary for optimum Windows security and compliance. In addition to this document, SecureWorks has
also tuned our filters to capture the information outlined in this document and has created a suite of
reports for you to use to easily view your Windows events. Reports designated as daily should be
scheduled by your organization to be run daily for your Windows servers and be reviewed by a member
of your team. Reports designated as ad-hoc should be run or scheduled to be run by your organization for
periodic review by your team. The Portal also allows you to store the report and digitally sign it for audit
purposes. Each event grouping below is mapped to one of the following SecureWorks reports, which can
be accessed, ran and scheduled via the Monitoring section of the Report tab in the SecureWorks Client
Portal:
Overview
Windows Event Group
Major Security Events
and Policy Changes
Active Directory and
Member Server
SecureWorks
Report Name
Frequency
of Review
Daily
565, 566
Active Directory
and Member
Server Compliance
Events - Daily
Daily
632,636,650,655,660,665
Active Directory
and Member
Server Compliance
Events - Daily
Daily
633,637,651,656,661,666
Active Directory
and Member
Server Compliance
Events - Daily
Daily
624,642,626
Active Directory
and Member
Server Compliance
Events - Daily
Daily
629,630,642
Active Directory
and Member
Server Compliance
Events - Daily
Daily
565,566
Active Directory
and Member
Server Compliance
Events - Daily
Daily
565,566,560
Active Directory
and Member
Server Compliance
Events - Daily
Daily
Active Directory
and Member
Server Compliance
Events of Interest
Ad Hoc
Ad Hoc
Active Directory
and Member
Server
Compliance
Events Ad
Hoc
Ad Hoc
672
Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc
Ad Hoc
Domain Account
Authentication
Event Codes
Domain Account
Authentication Failure
Analysis
Event Codes
SecureWorks
Report Name
Frequency
of Review
Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc
Ad Hoc
Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc
Ad Hoc
Computer
Event\Chan
ge
Eve
nt ID
Event\Change
Performed
By:
Performed
By
517
Client
User
Name:\Cli
ent User
Domain:
520
Client
User
Name:\Cli
ent User
Domain:
By:
Name: SNMPTRAP
User
Name: \
Domain:
Success/Failure
608
Assigned
By:
User
Name: \
Domain:
609
Assigned
By:
User
Name: \
Domain:
610
Establishe
d By:
User
Trust Type:
Name: \
Domain:
Translation guidance:
Field
Value
Display
directio
ns
type
See:
http://msdn.microsoft.com/library/default.asp?url=/libra
ry/en-us/wmisdk/wmi/microsoft_domaintruststatus.asp
And: http://msdn2.microsoft.com/enus/library/system.directoryservices.activedirectory.trus
ttype.aspx
611
Establishe
d By:
User
Name: \
Domain:
620
Modified
By:
User
Name: \
Domain:
612
n/a
Server:Name\Domain
New Policy:
SuccessFailure
+ +Logon/Logoff
+ +Object Access
+ +Privilege Use
- -Account Management
+ +Policy Change
+ +System
- -Detailed Tracking
+ +Directory Service Access
+ +Account Logon
617
n/a
Domain:
Change:
--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT:
0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none);
KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000
(none);
621
n/a
Account: Domain\User
Access: SeRemoteInteractiveLogonRight
622
n/a
Account: Domain\User
Access: SeRemoteInteractiveLogonRight
643
Changed
By:
User
Name: \
Domain:
Interpretation
Entries in this group indicate major changes to the security configuration of the indicated server or a high
security event such as the security log being cleared.
Documentation
This group contains Event IDs: 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622 and 643.
Category: Directory Service
Type: Success
Role: Domain Controllers (only DCs report 566 or 565)
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily
Operation
Object Type:
o
domainDNS = Domain
organizationalUnit = OU
groupPolicyContainer = GPO
Object Type
If present in description
Column contents
Any
WRITE_DAC
Changed permissions
Delete Tree
DELETE
Deleted
modified
organizationalUnit,
domainDNS or site
groupPolicyContainer
Changed by
Interpretation
This group documents changes made to AD objects.
Log Information to Aggregate
Group domain
Target Domain
Group name
Type
New Member
Member Name:
Added by
Interpretation
If groups Type is security, the New Member now has access to any objects where Group is granted
permissions and will receive email sent to Group. If Groups Type is distribution the New Member will
receive email sent to Group.
These logs document new members added to security and distribution groups in Active Directory and
Local Servers. AD and Local Server groups are increasingly being used as the basis for controlling
access to privileged information and transactions in databases and applications so AD and Local groups
and user activity is usually significant even in the unlikely scenario that no significant information is stored
on Windows file servers. Distribution groups are important to monitor since they are often used to deliver
confidential email.
Documentation
There are 3 scopes of member groups. A groups scope limits where the group can be granted access
and who the group can have as members. These events are collected from domain controllers.
Scope
Explanation
Event ID
Security
Distribution
Domain Local
636
650
Global
632
655
Universal
660
665
Active Directory and Local Server Group Member Deletions
Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily
Target Domain
Group name
Type
Scope
Member
Member Name:
Deleted by
Interpretation
If groups Type is security, the Member no longer has access to any objects where Group is granted
permissions and will no longer receive email sent to Group. If Groups Type is distribution the New
Member will no longer receive email sent to Group.
These logs document members removed from security and distribution groups in Active Directory and
Local Servers. AD groups are increasingly being used as the basis for controlling access to privileged
information and transactions in databases and applications so AD and Local server groups and user
activity is usually significant even in the unlikely scenario that no significant information is stored on
Windows file servers. Distribution groups are important to monitor since they are often used to email
confidential email.
Documentation
There are 3 scopes of groups. A groups scope limits where the group can be granted access and who
the group can have as members. These events are collected from domain controllers.
Scope
Explanation
Event ID
Security
Distribution
Domain Local
637
651
Global
633
656
access to objects in other domains.
Universal
661
666
Criteria
event ID 624
event ID 642
event ID 626
User
Account
Performed
by
Operation
User Account
New
Enabled
Interpretation
This event group documents new AD and Local Member Server user accounts or users previously
disabled that are now enabled.
Documentation
This group is based on event ID 626 and 624 in Windows 2003; 642 and 624 in Windows 2000.
Criteria
Operation
event ID 630
Deleted
Disabled
629
User Account
Performed by
Interpretation
This event group documents AD and Local Member Server user account deletions or accounts previously
enabled that are now disabled.
Documentation
This group is based on event ID 629 and 630 in Windows 2003; 642 and 630 in Windows 2000.
Type
Object Type:
o
domainDNS = Domain
organizationalUnit = OU
groupPolicyContainer = GPO
site = Site
Name
Case
Object Name
Operation
Operation
Object Name:
Object Name:
GPO modified
Object Name:
GPO permissions
modified
Object Name:
GPO deleted
Object Name:
GPO created
Changed by
Interpretation
This event group documents all group policy related changes:
New, Changed and Deleted GPOs
Changes to the Group Policy properties tab of Sites, Domains and Organizational Units
Check for inappropriate or unauthorized group policy changes. Mistaken modifications to group policy
can impact thousands of users and computers. Change control and change audit trail are crucial to
limiting group policy risk. Changes to group policy objects can also adversely reconfigure security
settings or policies opening the organization to intrusion or system abuse.
Documentation
This group is based on event IDs 566 and 565.
Domain
Type
Object Type:
domainDNS = Domain
organizationalUnit = OU
groupPolicyContainer = GPO
otherwise use actual value
Operation
Object Name
Name
Changed by
Interpretation
This group documents changes to permissions on objects in Active Directory. Permission changes are
usually the result of delegating administrative authority. Active Directory does not report the content of
the changes only that the change occurred.
Active Directory does not report the content of the changes only that the change occurred you must
review the ACLs of the affected objects.
Documentation
This group is based on event ID 560, 565 and 566.
Operation
OS
Criteria
Locked
2000
event ID 644
2003
Unlocked
Password
Reset
2000
2003
671
2000
2003
628
User Account
Performed by
Interpretation
This group documents AD and Local Member Server account lockouts, subsequent unlocks and
password resets by an administrator or someone delegated that authority.
Documentation
This group is based on event ID 642, 644, 671, 627 and 628.
Operation
Column Definition
Selection Criteria
User
For user
changes its
important to
distinguish
whether 624 is
from a 2000 or
2003 computer.
Since many
642s in 2003 are
redundant
because of other
specific event
IDs. To
determine OS
version:
Windows
2000:
Changed
Attributes
will not be
present in
description
Windows
2003:
Changed
Attributes is
present in
description
General
change
On Windows 2000
642 - First insertion string from
description. Some account changes
generate 642 with first insertion string
empty. In such cases display Not
specified
On Windows 2003
MS removed the first insertion string
and replaced with Changed Attributes.
Display attribute name/value pairs for
which there is a value
For example, for the example event
below you would display:
Password Last Set: 8/1/2006 12:15:10
PM
Some account changes generate 642
where no attributes are listed as
changed. In such cases display Not
specified
Example event:
Event Type: Success Audit
Event Source:
Security
Event Category:
Account
Management
Event ID:
642
Date:
8/1/2006
Time:
12:15:10 PM
User:
S3DGROUP\radmin
Computer:
A4
Description:
User Account Changed:
Target Account Name:
Event ID 642
To determine OS version:
Windows 2000: Changed
Attributes will not be
present in description
Windows 2003: Changed
Attributes is present in
description
First check if 642 matches
criteria for one of the other
operations in this table. If so
its a specific change not a
general change.
Windows logs multiple 642s
sometimes in relation to one
operation from the point of
view of the administrator.
Windows logs multiple 642s
in conjunction with new user
accounts (624).
Windows also logs 642s that
are redundant because of
event IDs that document
specific actions such as
password resets,
enabling/disabling accounts,
etc.
gthomas
Target Domain:
S3DGROUP
Target Account ID:
S3DGROUP\gthomas
Caller User Name:
radmin
Caller Domain:
S3DGROUP
Caller Logon ID:
(0x0,0x34495)
Privileges: Changed Attributes:
Sam Account Name: Display Name:
User Principal Name:
Home Directory:
Home Drive: Script Path:
Profile Path:
User Workstations:
Password Last Set:
8/1/2006 12:15:10 PM
Account Expires: Primary Group ID: AllowedToDelegateTo:
Old UAC Value:
New UAC Value:
User Account Control:
User Parameters: Sid History:
Logon Hours:
-
Group
Renamed
] To:
685
Created
Created
Changed
Changed
Deleted
Group Type
Changed
668
Created
Created
645
Changed
646
Deleted
Deleted
647
Other Information
Domain
Object
Type:
Performed by
Interpretation
This group documents all other changes to users, groups and computers including new and deleted
objects. Sometimes Windows fails to report exactly what was changed which is reflected by Not
specified.
Recommended Usage and Response
Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed. Provide as needed to IT Audit to demonstrate compliance with account management
procedures.
Documentation
This group is based on event ID 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664,
638, 634, 662, 652, 657, 667, 668, 645,646 and 647.
Account
Domain:\User Name:
Server
Interpretation
This group documents all authentications to domain controllers by users. Note that whenever such a user
logs onto their own workstation or member server, this will generate a Network logon to a DC since the
users workstation must access the domain controller under the users credentials to apply Group
Policy\User Configuration.
Documentation
This group is based on event ID 672.
Domain:\User Name:
Reason
Domain Controller
Workstation
Authentication Protocol
Interpretation
This group documents all authentication failures to domain controllers by users. Note that whenever such
a user logs onto their own workstation or member server, this will generate a Network logon to a DC since
the users workstation must access the domain controller under the users credentials to apply Group
Policy\User Configuration.
Documentation
This group is based on event ID 672, 675, 676 and 681.
Logon Type: %4
See http://ultimatewindowssecurity.com/logontypes.html for
translation
Domain:\User Name
Server
Computer.
Process
Logon Process
ID
Logon ID (optional)
Success/Failure
Interpretation
This group documents all logons to monitored servers.
Documentation
This group is based on event ID 529 through 540, excluding 538.