Ing. Ondřej ŠevečekMCSM:Directory | MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePointondrej@sevecek.com | www.sevecek.com

Event Filtering and Searching with XPath and PowerShellSCOM ACS bohužel nebude, zato bude víc ostatního

Auditing (2000+)

Granular auditing (2008/Vista+)

Event viewer

Event viewer

Event viewer

Event viewer and XML

XPath

XML "searching" language Quick examples

//State[@code='CZ']//State[population>20]/States/State[starts-with(display, 'C') and @continent='NAM']//State[position()=3]/States/*[starts-with(display, 'C')]//display[starts-with(., 'C')]//display[starts-with(text(), 'C')]

XPath

Event viewermust replace < with &lt; or > with &gt;must replace <= with &lt;=can use only position(), Band() and timediff()today: TimeCreated[timediff(@SystemTime) &lt;= 86400000]]

WEVTUTILnormal operators >, >=, <=, != …

Logon auditing

Account Logon Event– "authentication event"– when an account database validates credentials

Logon Event– "session event"– every time an Access Token is created or closed

NTLM and Schannel network logon

DC2000+

Client2000+

Server2000+

App Traffic

DC2000+

SMBD/COM

In-bandNTLM hash

Pass-through NTLM hash

D/COM Dynamic TCP

Kerberos network logon (basic principle)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

TGT: User

In-bandTGS: Server

TGS: Server

Auditing (Interactive Logon)

SQLFS

WFE

DC

Client

Account Logon1

Logon2

Logon types

Type Value

Interactive 2

Network 3

Batch 4

Service 5

Unlock 7

NetworkCleartext 8

NewCredentials 9

RemoteInteractive 10

CachedInteractive 11

CachedRemoteInteractive 12

CachedUnlock 13

Status codes

Status Value

STATUS_WRONG_PASSWORD 0xC000006A

STATUS_PASSWORD_RESTRICTION 0xC000006C

STATUS_LOGON_FAILURE 0xC000006D

STATUS_ACCOUNT_RESTRICTION 0xC000006E

STATUS_INVALID_LOGON_HOURS 0xC000006F

STATUS_INVALID_WORKSTATION 0xC0000070

STATUS_PASSWORD_EXPIRED 0xC0000071

STATUS_ACCOUNT_DISABLED 0xC0000072

STATUS_LOGON_NOT_GRANTED 0xC0000155

STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B

STATUS_ACCOUNT_EXPIRED 0xC0000193

STATUS_PASSWORD_MUST_CHANGE 0xC0000224

STATUS_ACCOUNT_LOCKED_OUT 0xC0000234

Download err.exe

version 2008– http://www.microsoft.com/en-us/download/details.aspx?id=985

most up-to-date version– SDK for Windows 8.1– http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

Auditing (Network session)

SQLFS

WFE

DC

Client

Account Logon1

Logon2

immediately at logoff

Auditing (Interactive logoff)

SQLFS

WFE

DC

Client

Logoff1

SQLFS

WFE

when TCP connection closed

Auditing (Network session)

DC

Client

Logoff1

PowerShell notes

Get-WmiObject-Computer-Query

EventCode, InsertionStrings

Timestamps in LDAP

pwdLastSet lastLogon

– non-replicated lastLogonTimestamp lockoutTime badPasswordTime

– non-replicated accountExpires

Logon timestamps

Client

DC

DC

DC

lastLogon 11:38

lastLogon 9:00

lastLogon -

Logon timestamps (2003 DFL)

Client

DC

DC

DC

lastLogon 11:38

lastLogon 9:00

lastLogon -

lastLogonTimestamp 11:00

lastLogonTimestamp 11:00

lastLogonTimestamp 11:00

lastLogonTimestamp

Requires 2003 domain functional level Updated only once per 14-random(5) days

– DC=idtt,DC=local– msDS-LogonTimeSyncInterval– 1+ – minimum without randomization– 5+ – randomization starts– 14 – the default– ...

Authentication failures

Client

PDC

pwd2

DC

pwd2

pwd2

DC

pwd1

Authentication failures

ClientDC

DC

badPasswordCount 3

badPasswordCount 2

PDC

badPasswordCount 7

lockoutTime

DC

badPasswordCount 2

Searching in LDAP

(name=m*) (&(name=m*)(c=cz)) (|(c=cz)(c=de)) (!c=cz) (whenCreated>=20080323205258.0+1200) (whenCreated>=20080323205258.0Z) (pwdLastSet>=128962296000000000) (userAccountControl:1.2.840.113556.1.4.803:=2)

Powershell and DateTime

get-date [DateTime]::Parse("2011-05-28") (get-date).AddDays(-50) ((get-date) –

[DateTime]::Parse("1601-01-01")).Ticks ([DateTime]::Parse("2010-11-28") –

[DateTime]::Parse("1601-01-01")).Ticks ((get-date).AddDays(-50) – [DateTime]::Parse("1601-01-

01")).Ticks

Kurzy Počítačové školy Gopas na www.gopas.cz

GOC170 - AD Monitoring with SCOM and ACSGOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKIGOC174 - SharePoint Architecture and TroubleshootingGOC175 - Advanced SecurityGOC169 - Auditing ISO/IEC 2700x

Získejte tričko TechEd 2014za vyplněný hodnotící dotazník.

Počítačová škola Gopas – Vaše IT škola života