Microsoft Active Directory Adding and Authorization by WMI

Introduction

This article will provide information about the process of sending system logs of your Active Directory server to logsign.

You can integrate your log server with syslog or wmi protocols, and in this document, the process will be carried out with the wmi protocol.

Recommendations for Audit Settings

You can review Advance Audit to check the audit settings.

mceclip0__11_.png

 

The recommendations are for enterprise computers that have average security requirements and high functionality. Organizations with higher security requirements should consider and apply more aggressive audit policies.

 

Windows Server 2016, Windows Server 2012 R2,Windows Server 2012, Windows Server 2008 R2, ve Windows Server 2008 audit setting suggestions
       
Audit Policy Category and Subcategories

Windows

Default

Basic Advice High Recommendations
  Success / Failure  Success /Failure  Success /Failure
Account Logon
Audit Credential Validation  No/No Yes/Yes Yes/Yes
Audit Kerberos Authentication Service      Yes/Yes
Audit Kerberos Service Ticket Operations      Yes/Yes
Audit Other Account Logon Events      Yes/Yes
Account Management
Audit Application Group Management   Yes/Yes Yes/Yes
Audit Computer Account Management    Yes/ DC  Yes/ DC 
Audit Distribution Group Management   Yes/Yes Yes/Yes
Audit Other Account Management Events    Yes/Yes Yes/Yes
Audit Security Group Management    Yes/Yes Yes/Yes
Audit User Account Management  Yes/No Yes/Yes Yes/Yes
Detailed Tracking
Audit DPAPI Activity      Yes/Yes
Audit Process Creation    Yes/No Yes/Yes
Audit Process Termination    Yes/No Yes/Yes
Audit RPC Events      
DS Access
Audit Detailed Directory Service Replication      
Audit Directory Service Access    DC DC  DC DC
Audit Directory Service Changes    DC DC  DC DC
Audit Directory Service Replication      
Logon and Logoff
Audit Account Lockout  Yes/No   Yes/No
Audit User/Device Claims      
Audit IPsec Extended Mode      
Audit IPsec Main Mode      If Needed
Audit IPsec Quick Mode      
Audit Logoff  Yes/No Yes/No Yes/No
Audit Logon  Yes/No Yes/Yes Yes/Yes
Audit Network Policy Server  Yes/Yes    
Audit Other Logon/Logoff Events      Yes/Yes
Audit Special Logon  Yes/No Yes/No Yes/Yes
Object Access
Audit Application Generated      
Audit Certification Services      
Audit Detailed File Share      
Audit File Share      
Audit File System      
Audit Filtering Platform Connection      
Audit Filtering Platform Packet Drop      
Audit Handle Manipulation      
Audit Kernel Object      
Audit Other Object Access Events      
Audit Registry      
Audit Removable Storage      
Audit SAM      
Audit Central Access Policy Staging      
Policy Change
Audit Audit Policy Change  Yes/No Yes/Yes Yes/Yes
Audit Authentication Policy Change  Yes/No Yes/No Yes/Yes
Audit Authorization Policy Change      
Audit Filtering Platform Policy Change      
Audit MPSSVC Rule-Level Policy Change      Yes/ -
Audit Other Policy Change Events      
Privilege Use
Audit Non Sensitive Privilege Use      
Audit Other Privilege Use Events      
Audit Sensitive Privilege Use      
System
Audit IPsec Driver    Yes/Yes Yes/Yes
Audit Other System Events  Yes/Yes    
Audit Security State Change  Yes/No Yes/Yes Yes/Yes
Audit Security System Extension    Yes/Yes Yes/Yes
Audit System Integrity  Yes/Yes Yes/Yes Yes/Yes
Global Object Access Auditing      
Audit IPsec Driver      
Audit Other System Events      
Audit Security State Change      
Audit Security System Extension      
Audit System Integrity      

 

Windows PowerShell Auditing

Windows PowerShell keeps a detailed log of both command scripts and interactive access. If large PowerShell command scripts are frequently used, they can cause excessive event logging and noise. We recommend configuring this before deploying it organization-wide in a test environment.

 

Group Policy Recommended Value
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell
Turn on Module Logging  Active/ *
Turn on PowerShell Script Block Logging  Active

 

Windows CMD Terminal Controls

Group Policy Recommended Value
Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation
Include command line in process creation events Active

 

Authorization Operations for Domain Controller (ADS Server)

To connect to the log source with the wmi protocol and obtain logs with a wmi query, we need to create a user.

 

Creating a User:

Screen_Shot_2022-05-20_at_11.40.29.png

 

To create a user, we go to Active Directory Users and Computers.

mceclip1__8_.png

mceclip2__9_.png

To prevent the created user's password from expiring and to avoid log interruptions, we check the Password never expires checkbox. With this option, you can apply your organization's security policies.

 

Group Memberships:

To enable the logsign user to access the channels under eventviewer, they must be a member of certain groups, which are:

  • Distributed Com Users,
  • Performance Log Monitor,
  • Performance Log Users
  • Event Log Reader

Membership of the above groups should be provided to the logsign user.

mceclip3__10_.png

 

WMIMGMT Configuration:

To allow the logsign user to connect to the source with wmi, the following permissions must be defined through wmimgmt.msc.

Screen_Shot_2022-05-20_at_11.41.31.png

Screen_Shot_2022-05-20_at_11.41.38.png

Screen_Shot_2022-05-20_at_11.41.45.png

Screen_Shot_2022-05-20_at_11.41.52.png

 

mceclip4__6_.png

 

DCOMCNFG Configuration:

To allow the logsign user to connect to the source with wmi, the following permissions must be defined through dcomcnfg.

Screen_Shot_2022-05-20_at_11.42.30.png

Screen_Shot_2022-05-20_at_11.42.37.png

Screen_Shot_2022-05-20_at_11.42.52.png

mceclip5__5_.png

 

Logsign Integration:

The following steps describe the process of adding a WMI-authorized source to logsign.

mceclip24.png

mceclip25.png

mceclip26.png

Automation Script (Performing Operations with Script)

You can use a script to perform all authorizations for Windows Domain Controller source, other servers connected to the domain, and workgroup sources.

 

Performing Operations with Script on Domain Controller Server:

The script is executed with admin privileges. The username, password, and domain information to be created are entered, and the process is completed.

There are two scripts in the folder. The script starting with user create will create a new user, while the other script can perform operations with an existing user.

The script file is attached.

mceclip33.png

mceclip34.png

mceclip35.png

mceclip36.png

Was this article helpful?
5 out of 5 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.