The Windows event logs hold a minefield of information, and in the last couple of Ask the Admin articles on the Petri IT Knowledgebase, How to Create Custom Views in Windows Server 2012 R2 Event Viewer and Query XML Event Log Data Using XPath in Windows Server 2012 R2, I demonstrated how to create custom views in Event Viewer to filter out unwanted noise.
The ability to create custom views is only useful if you know what events might indicate an attempt to compromise your systems or an unsanctioned configuration change. In this Ask the Admin, I’ll outline some of the most important events that might indicate a security breach.
Before data in the event logs can become truly useful, it’s essential to exercise some governance over your server estate and establish who is allowed to change what, where, and when through tested business processes. When change control is implemented alongside privilege management, not only can you be more confident in maintaining stable and reliable systems, but it will be easier to identify malicious activity in the event logs.
The information in this article assumes that auditing has been configured according to Microsoft’s recommended settings in the Window Server 2012 R2 baseline security templates that are part of Security Compliance Manager (SCM). For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase.
Under normal operating circumstances, critical system settings can’t be modified unless users hold certain privileges, so monitoring for privilege use and changes to user accounts and groups can give an indication that an attack is underway. For example, the addition of users to privileged groups, such as Domain Admins, should correspond to a request for change (RFC). If you notice that a user has been added to a privileged group, you can check this against approved RFCs.
The Event Viewer User Account Management and Group Management task categories. When auditing is enabled on a member server, changes to local users and groups are logged, and on a domain controller changes to Active Directory. To enable auditing for user and group management, enable Audit Security Group Management and Audit User Account Management settings in Advanced Audit Policy. For more information on configuring audit policy, see Enable Advanced Auditing in Windows Server on Petri.
Additionally, you should check for the events listed in the table below:
Event Log | Level | ID | Error Name | Source |
Security | Informational | 4740 | Account Lockouts | Microsoft-Windows-Security-Auditing |
Security | Informational | 4728, 4732, 4756 | User Added to Privileged Group | Microsoft-Windows-Security-Auditing |
Security | Informational | 4735 | Security-Enabled Group Modification | Microsoft-Windows-Security-Auditing |
Security | Informational | 4724 | Successful User Account Login | Microsoft-Windows-Security-Auditing |
Security | Informational | 4625 | Failed User Account Login | Microsoft-Windows-Security-Auditing |
Security | Informational | 4648 | Account Login with Explicit Credentials | Microsoft-Windows-Security-Auditing |
Frequent application hangs on crashes can indicate an attempt to disrupt service and other kinds of attack. As such, it’s prudent to monitor line of business applications for disruptions. Check the Application log for the following event IDs:
Event Log | Level | ID | Error Name | Source |
Application | Error | 1000 | App Error | Application Error |
Application | Error | 1002 | App Hang | Application Hang |
Application | Informational | 1001 | WER | Windows Error Reporting |
System | Error | 1001 | BSOD | Microsoft-Windows-WER-SystemErrorReporting |
If someone has cleared the event logs or changed audit policy, there’s a good chance that they’ve been trying to cover their tracks. As such, any such behaviour should ring alarm bells:
Event Log | Level | ID | Error Name | Source |
System | Informational | 104 | Event Log was Cleared | Microsoft-Windows-EventLog |
Security | Informational | 102 | Audit Log was Cleared | Microsoft-Windows-EventLog |
System | Informational | 4719 | System audit policy was changed | Microsoft-Windows-EventLog |
Configuration settings are usually managed on workstations and servers using Active Directory Group Policy, so any failure to apply policy or make unsanctioned changes to policy objects in AD could indicate a security issue. Additionally Windows Firewall provides an important line of defence, and any changes to firewall rules could signal an attempt to gain additional access to systems.
Event Log | Level | ID | Error Name | Source |
System | Error | 1125 | Internal Error | Microsoft-Windows-GroupPolicy |
System | Error | 1127 | Generic Internal Error | Microsoft-Windows-GroupPolicy |
System | Error | 1129 | Group Policy Application Failed due to Connectivity | Microsoft-Windows-GroupPolicy |
Windows Firewall WithAdvancedSecurity/Firewall | Informational | 2004 | Firewall Rule Add | Microsoft-Windows-Windows FirewallWith Advanced Security |
Windows Firewall WithAdvancedSecurity/Firewall | Informational | 2005 | Firewall Rule Change | Microsoft-Windows-Windows FirewallWith Advanced Security |
Windows Firewall WithAdvancedSecurity/Firewall | Informational | 2006, 2033 | Firewall Rules Deleted | Microsoft-Windows-Windows FirewallWith Advanced Security |
Windows Firewall WithAdvancedSecurity/Firewall | Error | 2009 | Firewall Failed to load Group Policy | Microsoft-Windows-Windows FirewallWith Advanced Security |