Introduction
This article will provide information about the process of sending system logs of your Active Directory server to Logsign Unified SecOps Platform.
You can integrate your log server with syslog or wmi protocols, and in this document, the process will be carried out with the wmi protocol.
Recommendations for Audit Settings
You can review Advance Audit to check the audit settings.
The recommendations are for enterprise computers that have average security requirements and high functionality. Organizations with higher security requirements should consider and apply more aggressive audit policies.
Windows Server 2016, Windows Server 2012 R2,Windows Server 2012, Windows Server 2008 R2, ve Windows Server 2008 audit setting suggestions | |||
---|---|---|---|
Audit Policy Category and Subcategories |
Windows Default |
Basic Advice | High Recommendations |
Success / Failure | Success /Failure | Success /Failure | |
Account Logon | |||
Audit Credential Validation | No/No | Yes/Yes | Yes/Yes |
Audit Kerberos Authentication Service | Yes/Yes | ||
Audit Kerberos Service Ticket Operations | Yes/Yes | ||
Audit Other Account Logon Events | Yes/Yes | ||
Account Management | |||
Audit Application Group Management | Yes/Yes | Yes/Yes | |
Audit Computer Account Management | Yes/ DC | Yes/ DC | |
Audit Distribution Group Management | Yes/Yes | Yes/Yes | |
Audit Other Account Management Events | Yes/Yes | Yes/Yes | |
Audit Security Group Management | Yes/Yes | Yes/Yes | |
Audit User Account Management | Yes/No | Yes/Yes | Yes/Yes |
Detailed Tracking | |||
Audit DPAPI Activity | Yes/Yes | ||
Audit Process Creation | Yes/No | Yes/Yes | |
Audit Process Termination | Yes/No | Yes/Yes | |
Audit RPC Events | |||
DS Access | |||
Audit Detailed Directory Service Replication | |||
Audit Directory Service Access | DC DC | DC DC | |
Audit Directory Service Changes | DC DC | DC DC | |
Audit Directory Service Replication | |||
Logon and Logoff | |||
Audit Account Lockout | Yes/No | Yes/No | |
Audit User/Device Claims | |||
Audit IPsec Extended Mode | |||
Audit IPsec Main Mode | If Needed | ||
Audit IPsec Quick Mode | |||
Audit Logoff | Yes/No | Yes/No | Yes/No |
Audit Logon | Yes/No | Yes/Yes | Yes/Yes |
Audit Network Policy Server | Yes/Yes | ||
Audit Other Logon/Logoff Events | Yes/Yes | ||
Audit Special Logon | Yes/No | Yes/No | Yes/Yes |
Object Access | |||
Audit Application Generated | |||
Audit Certification Services | |||
Audit Detailed File Share | |||
Audit File Share | |||
Audit File System | |||
Audit Filtering Platform Connection | |||
Audit Filtering Platform Packet Drop | |||
Audit Handle Manipulation | |||
Audit Kernel Object | |||
Audit Other Object Access Events | |||
Audit Registry | |||
Audit Removable Storage | |||
Audit SAM | |||
Audit Central Access Policy Staging | |||
Policy Change | |||
Audit Audit Policy Change | Yes/No | Yes/Yes | Yes/Yes |
Audit Authentication Policy Change | Yes/No | Yes/No | Yes/Yes |
Audit Authorization Policy Change | |||
Audit Filtering Platform Policy Change | |||
Audit MPSSVC Rule-Level Policy Change | Yes/ - | ||
Audit Other Policy Change Events | |||
Privilege Use | |||
Audit Non Sensitive Privilege Use | |||
Audit Other Privilege Use Events | |||
Audit Sensitive Privilege Use | |||
System | |||
Audit IPsec Driver | Yes/Yes | Yes/Yes | |
Audit Other System Events | Yes/Yes | ||
Audit Security State Change | Yes/No | Yes/Yes | Yes/Yes |
Audit Security System Extension | Yes/Yes | Yes/Yes | |
Audit System Integrity | Yes/Yes | Yes/Yes | Yes/Yes |
Global Object Access Auditing | |||
Audit IPsec Driver | |||
Audit Other System Events | |||
Audit Security State Change | |||
Audit Security System Extension | |||
Audit System Integrity |
Windows PowerShell Auditing
Windows PowerShell keeps a detailed log of both command scripts and interactive access. If large PowerShell command scripts are frequently used, they can cause excessive event logging and noise. We recommend configuring this before deploying it organization-wide in a test environment.
Group Policy | Recommended Value |
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell | |
Turn on Module Logging | Active/ * |
Turn on PowerShell Script Block Logging | Active |
Windows CMD Terminal Controls
Group Policy | Recommended Value |
Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation | |
Include command line in process creation events | Active |
Authorization Operations for Domain Controller (ADS Server)
To connect to the log source with the wmi protocol and obtain logs with a wmi query, we need to create a user.
Creating a User:
To create a user, we go to Active Directory Users and Computers.
To prevent the created user's password from expiring and to avoid log interruptions, we check the Password never expires checkbox. With this option, you can apply your organization's security policies.
Group Memberships:
To enable the Logsign user to access the channels under eventviewer, they must be a member of certain groups, which are:
- Distributed Com Users,
- Performance Log Monitor,
- Performance Log Users
- Event Log Reader
Membership of the above groups should be provided to the Logsign user.
WMIMGMT Configuration:
To allow the Logsign user to connect to the source with wmi, the following permissions must be defined through wmimgmt.msc.
DCOMCNFG Configuration:
To allow the Logsign user to connect to the source with wmi, the following permissions must be defined through dcomcnfg.
Logsign Integration:
The following steps describe the process of adding a WMI-authorized source to Logsign.
Automation Script (Performing Operations with Script)
You can use a script to perform all authorizations for Windows Domain Controller source, other servers connected to the domain, and workgroup sources.
Performing Operations with Script on Domain Controller Server:
The script is executed with admin privileges. The username, password, and domain information to be created are entered, and the process is completed.
There are two scripts in the folder. The script starting with user create will create a new user, while the other script can perform operations with an existing user.
The script file is attached.