References > Template Reference > Microsoft Windows Server > Windows Server 2003 Domain Controller Security

Windows Server 2003 Domain Controller Security

This template allows you to check locked and /or disabled users as well as events from the Windows security log in relation to Windows 2003 Domain Controller security.

Prerequisites:

  • WinRM must be installed and properly configured on the target server.
  • WMI access to the target server.
  • Auditing on domain controller (success and failure) must be enabled for the following items: Account Management, Logon Events, Policy Changes and System Events. To learn how to enable auditing , refer to this article: http://support.microsoft.com/kb/814595.

Credentials: Administrator on target server.

Configuring Windows Remote Management (WinRM)

Take the following steps to properly configure Windows Remote Management:

  1. If not already done so, install PowerShell 2.0 and WinRM on the SAM and target servers. PowerShell 2.0 can be found here: http://support.microsoft.com/kb/968930.
  2. On the SAM server, open a command prompt as an Administrator. To do this, perform the following step:
  • Go to the Start menu and right-click cmd.exe and then select Run as Administrator.
  1. Enter the following in the command prompt:
    winrm quickconfigwinrm set winrm/config/client @{TrustedHosts="*"}
  2. On the target server, open a command prompt as an Administrator and enter the following:
    winrm quickconfigwinrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}
  3. where IP address is the IP address of your SAM server.

Monitored Components:

Note: All monitors, except Locked out users and Disabled users, should return zero values. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, you should examine the Windows security log for details.

Locked out users

This monitor returns the number of currently locked out users. Set the threshold value according to your requirements.

Disabled users

This monitor returns the number of currently disabled users. Set the threshold value according to your requirements.

User Account: Creating a user account

This monitor returns the number of events generated from creating new user accounts.

Event ID: 624.

Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.

User Account: Deleting a user account

This monitor returns the number of events generated from deleting user accounts.

Event ID: 630.

Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.

User Account: Changing a user account

This monitor returns the number of events generated from changes that were made to security-related properties of user accounts.

Event ID: 642.

User Account: Change password attempt

This monitor returns the number of account password change attempts.

Event ID: 627.

This event results from a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.

User Account: Password set or reset

This monitor returns the number of times a user or process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.

Event ID: 628.

Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.

Logon Failure: Unknown user name or password

This monitor returns the number of failed login attempts with an incorrect username and/or password.

Event ID: 529.

Check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.

Logon Failure: Disabled account

This monitor returns the number of failed login attempts using a disabled account.

Event ID: 531.

Always investigate this event. Check Target Account Name value and Workstation Name. This event can signal attempted abuse by former internal users.

Logon Failure: Expired account

This monitor returns the number of failed login attempts using an expired account.

Event ID: 532.

Always investigate this event. This event can signal attempted abuse by contractors or temporary internal users.

Logon Failure: Logon type not allowed

This monitor returns the number of failed attempts to log on interactively with service account credentials when Group Policy settings prevent that account from interactive logon.

Event ID: 534.

Logon Failure: Account locked out

This monitor returns the number of failed login attempts using an account that has been locked out.

Event ID: 539.

Correlate with Event 529 to detect a pattern of continued lockouts.

Logon Failure: User account automatically locked

This monitor returns the number of accounts that have been automatically locked out.

Event ID: 644.

A user account has been locked out because the number of sequential failed logon attempts is greater than the account lockout limit.

Logon Failure: Time restrictions

This monitor returns the number of attempts to logon outside the permitted times.

Event ID: 530.

Check User Account Name and Workstation Name.

Logon Failure: Replay attack detected

This monitor returns the number of detected attempts by the authentication package to log on by replaying a user's credentials.

Event ID: 553.

Investigate immediately. Alternatively, this could be a sign of improper network configuration.

System: Change directory services restore mode password

This monitor returns the number of attempts to change the Directory Services Restore Mode password on a domain controller.

Event ID: 698.

Check Workstation IP and Account Name and investigate immediately.

System: Windows is shutting down

This monitor returns the number of times Windows goes to shut down.

Event ID: 513.

Usually appears before Event 512. On high-value computers, authorized personnel should restart computers in accordance with established policies. Investigate immediately when this event occurs on any server.

System: Clearing the security event logs

This monitor returns the number of times security logs have been cleared.

Event ID: 517.

Administrators should not clear security event logs without authorization. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

System: Changing system time

This monitor returns the number of times the system time has been changed.

Event ID: 520.

This action can mislead forensic investigation or provide an attacker with a false alibi. The process name is %windir %\system32\svchost.exe. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

System: Changing audit policy

This monitor returns the number of times audit policies have been changed.

Event ID: 612.

This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.

System: Changing the domain security policy

This monitor returns the number of attempts to modify a password policy or other domain security policy settings.

Event ID: 643.

Check user name of subject and correlate with authorization.