deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #32 from JanKeller1/secaudit

Browse Source 
Various fixes for format, typos, tables
This commit is contained in:
Brian Lich 2016-06-01 16:27:37 -07:00
commit e8e546db63
6 changed files with 66 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
windows/keep-secure/event-4625.md
View File

@ -274,32 +274,16 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table:
| **Field** | Value to monitor for |
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”. <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |

10
windows/keep-secure/event-4768.md
View File

@ -285,11 +285,11 @@ The most common values:
**Certificate Information:**
> **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate.
>
> **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificates serial number. Can be found in **Serial number** field in the certificate.
>
> **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificates thumbprint. Can be found in **Thumbprint** field in the certificate.
- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate.
- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificates serial number. Can be found in **Serial number** field in the certificate.
- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificates thumbprint. Can be found in **Thumbprint** field in the certificate.
## Security Monitoring Recommendations

33
windows/keep-secure/event-4769.md
View File

@ -35,8 +35,37 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4769</EventID> <Version>0</Version> <Level>0</Level> <Task>14337</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" /> <EventRecordID>166746</EventRecordID> <Correlation /> <Execution ProcessID="520" ThreadID="1496" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System>- <EventData> <Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data> <Data Name="TargetDomainName">CONTOSO.LOCAL</Data> <Data Name="ServiceName">WIN2008R2$</Data> <Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data> <Data Name="TicketOptions">0x40810000</Data> <Data Name="TicketEncryptionType">0x12</Data> <Data Name="IpAddress">::ffff:10.0.0.12</Data> <Data Name="IpPort">49272</Data> <Data Name="Status">0x0</Data> <Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data> <Data Name="TransmittedServices">-</Data> </EventData> </Event>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
<EventRecordID>166746</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49272</Data>
<Data Name="Status">0x0</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>
```
***Required Server Roles:*** Active Directory domain controller.

10
windows/keep-secure/event-4771.md
View File

@ -188,11 +188,11 @@ The most common values:
**Certificate Information:**
> **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
>
> **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificates serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
>
> **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificates thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificates serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificates thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
## Security Monitoring Recommendations

13
windows/keep-secure/event-4818.md
View File

@ -130,11 +130,12 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy
**Current Central Access Policy results:**
- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:
- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:<br><br>
REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS.
> REQUSTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS.
The possible REQUESTED\_ACCESS values are listed in the table below.
- REQUSTED\_ACCESS the name of requested access. See the possible REQUSTED\_ACCESS values in the table below:
## Table of file access codes
| Access | Hexadecimal Value | Description |
|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@ -176,11 +177,11 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy
**Proposed Central Access Policy results that differ from the current Central Access Policy results:**
- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:
- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:<br><br>
> REQUSTED\_ACCESS: NOT Granted by RULE\_NAME Rule.
REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule.
- REQUSTED\_ACCESS the name of requested access. See the possible REQUSTED\_ACCESS values in the table below:
The possible REQUESTED\_ACCESS values are listed in the table below:
| Access | Hexadecimal Value | Description |
|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

8
windows/keep-secure/event-5145.md
View File

@ -137,6 +137,8 @@ This event generates every time network share object (file or folder) was access
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
## Table of file access codes
| <span id="File_access_codes" class="anchor"></span>Access | Hexadecimal Value | Description |
|-----------------------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory. |
@ -157,11 +159,11 @@ This event generates every time network share object (file or folder) was access
> <span id="_Ref433878809" class="anchor"></span>Table 13. File access codes.
**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:
**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:<br><br>
REQUSTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
- REQUSTED\_ACCESS the name of requested access (see “Table 13. File access codes.”).
- REQUESTED\_ACCESS the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic.
- RESULT: