This post describes a method of account management event log auditing to extract relevant events from a domain for auditing and analysis. It's a simple batch file running on a server to export daily logs and collate them based on month.
Note that this is not a replacement for - or even an attempt at - a security event log management tool, it's really just a quick method of gathering events occurring in a Windows Active Directory domain.
Installation and use
- Create ADExportEvents.bat using the batch commands below
- Create AccountManagementEvents.txt as below or modify to suit your needs
- Create directories to store the batch file, dumpel, daily and month logs. Get dumpel.exe from windows resource kit if you don't already have it
- Test the batch file works from the command prompt.
- Create a scheduled task on the DC you are running this on to run the batch file every day
This should allow:
- Administrators to interrogate the logs, showing a holistic view of changes made throughout the domain without having to look at each DC
- Easy tracking of one-off problems (eg. somebody accidentally deletes a user/group/group membership with or without realising)
- Inter-related events to show up in a single log file (eg. A user being created, their account being automatically locked, and then the password change to fix the problem)
- Log files to be separated based on group, simplifying the process when looking for a particular event (eg, when a group was deleted)
- Dynamically queries the directory for a list of DCs to operate against
- Works from a simple batch file that calls a Microsoft Resource Kit utility to export the events
- Uses an input file describing the events to be collected in CSV format, enabling new events to be added to an existing group and new groups to be added simply by editing the control file.
- Account Management Auditing is turned on for the domain
- Each DC has a large enough security log to store n hours of security events, where n is length between scheduled task runs
To provide logs collated by month, the following command is executed as part of the batch file. Adjust the %MonthlyLogDir% to whatever directory you choose.
For /f %%p in (%UniqueGroups%) do for /f "tokens=3,4 delims=/ " %%i in ('echo %date%') do if exist %LogDir%\AcctMgmt_%%p_%%j%%i??.txt copy %LogDir%\AcctMgmt_%%p_%%j%%i??.txt %MonthlyLogDir%\AcctMgmt_%%p_%%j%%i.txt /y 1>nul
Security
The batch file runs from one DC in the domain, querying all other DCs. This was completed by modifying the Domain Controllers Group Policy to allow the 'Domain Controllers' security group to have the 'Manage Auditing and Security Log' right, allowing any DC to look at the security log of any other DC.
Advantages of this approach:
- Caters dynamically for the scenario when the DC performing the query changes, without having to modify scripts
- Caters dynamically when new DCs are added, the DC running the script will have access
- There is no need to create/maintain a new security group
Disadvantages:
- Potential security risk - anyone with unauthorised access to a domain controller computer context can make changes to security logs and configure object access auditing on DCs. This is mitigated somewhat by the fact that if someone can run something as a DC computer account context then by default they have the rights to make any changes in the domain anyway...
Possible Improvements
- Have each Domain Controller export local events and passing the information to a central server. If a large number of remote DCs across slow links were used (for example, more than 50 or 100) the current process would be unmanageable.
This is the CSV file used to define the group, the event ID and a description of the event, used by the batch file to determine which events to dump:
AccountManagementEvents.txt
--
Computer,645,A computer account was created.
Computer,647,A computer account was deleted.
Policy,643,A domain policy was modified.
Account,624,A user account was created.
Account,630,A user account was deleted.
Account,685,Name of an account was changed.
Account,684,Set the security descriptor of members of administrative groups, Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
AccountPwd,627,A user password was changed.
AccountPwd,628,A user password was set.
AccountPwd,644,A user account was auto locked.
Group,631,A global group was created.
Group,634,A global group was deleted.
Group,635,A new local group was created.
Group,668,A group type was changed.
Group,639,A local group account was changed.
Group,638,A local group was deleted.
Group,649,A local security group with security disabled was changed.
Group,648,A local security group with security disabled was created, SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.
GroupMembership,632,A member was added to a global group.
GroupMembership,636,A member was added to a local group.
GroupMembership,633,A member was removed from a global group.
GroupMembership,637,A member was removed from a local group.
SecDisGroupMem,656,A member was removed from a security-disabled global group.
SecDisGroupMem,651,A member was removed from a security-disabled local security group.
SecDisGroupMem,666,A member was removed from a security-disabled universal group.
SecDisGroupMem,661,A member was removed from a security-enabled universal group.
SecDisGroupMem,655,A member was added to a security-disabled global group.
SecDisGroupMem,650,A member was added to a security-disabled local security group.
SecDisGroupMem,665,A member was added to a security-disabled universal group.
SecDisGroupMem,660,A member was added to a security-enabled universal group.
SecDisGroup,654,A security-disabled global group was changed.
SecDisGroup,653,A security-disabled global group was created.
SecDisGroup,657,A security-disabled global group was deleted.
SecDisGroup,652,A security-disabled local group was deleted.
SecDisUniGroup,664,A security-disabled universal group was changed.
SecDisUniGroup,663,A security-disabled universal group was created.
SecDisUniGroup,667,A security-disabled universal group was deleted.
SecDisUniGroup,659,A security-enabled universal group was changed.
SecDisUniGroup,658,A security-enabled universal group was created.
SecDisUniGroup,662,A security-enabled universal group was deleted.
--
ADExportEvents.bat
--
@echo off
for /f "tokens=1,2" %%i in ('date /t') do @for /f "tokens=1,2,3 delims=/" %%m in ('echo %%j') do @set LOGDATE=%%o%%n%%m
Set Log=%temp%\%~n0_%logdate%.log
Set LogDir=c:\Logs\Daily
Set MonthlyLogDir=c:\Logs\Monthly
Set Events=AccountManagementEvents.txt
Set UniqueGroups=%Temp%\AccManUnique.txt
Set DCList=%Temp%\DCList.txt
Set NoOfDays=1
:Start
Echo Started %Date% %Time%
Echo Started %Date% %Time% > %log%
If Not Exist %Events% (
Echo Error: %Events% could not be found
Echo Error: %Events% could not be found > %log%
Goto End
)
If Exist %UniqueGroups% Del %UniqueGroups%
If Exist %DCList% Del %DCList%
:: Find the domain controllers for the local domain
dsquery.exe server -o rdn > %DCList%
:: Find the unique groups from the events we are going to process
for /f "tokens=1-3 delims=," %%i in (%Events%) do @Find /i "%%i" %UniqueGroups% 1>nul 2>nul & If errorlevel 1 echo %%i >> %UniqueGroups%
:: For each group of events, call the sub
For /f %%i in (%UniqueGroups%) do Call :ProcessEventGroup %%i
Echo Collating monthly logs
For /f %%p in (%UniqueGroups%) do for /f "tokens=3,4 delims=/ " %%i in ('echo %date%') do if exist %LogDir%\AcctMgmt_%%p_%%j%%i??.txt copy %LogDir%\AcctMgmt_%%p_%%j%%i??.txt %MonthlyLogDir%\AcctMgmt_%%p_%%j%%i.txt /y 1>nul
Echo Finished %Date% %Time%
Echo Finished %Date% %Time% > %log%
Goto End
:ProcessEventGroup
Set EventList=
:: For Each event in the event file, add the ID if it belongs to this group (calling a sub because for /f doesn't work with repeated inline references to variables
For /f "tokens=1-3 delims=," %%m in (%Events%) do if /i _%1==_%%m Call :AddEvent %%n
Set OutputFile=%logdir%\AcctMgmt_%1_%LogDate%.txt
Echo Dumping %1 events IDs: %EventList% to %OutputFile%
:: For each DC in the domain, dump the events
For /f %%p in (%DCList%) do Echo Processing %%p & dumpel.exe -d %NoOfDays% -e %EventList% -l Security -m Security -s %%p -c >> %OutputFile%
Goto End
:AddEvent
:: Concatenate the latest ID
Set EventList=%EventList% %1
Goto End
:End
--
References:
Information on the 'Manage Auditing and Security Log' Right:
http://technet2.microsoft.com/WindowsServer/en/Library/4e1fa44d-d283-4709-a8ef-460b3611f4031033.mspx?mfr=true http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/w2kscgcb.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/z02b621675.mspx
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
No comments:
Post a Comment