Audit Active Directory tools with Powershell releases. Part 1


Will begin a series of publications on monitoring of Active Directory.
In these articles I will give you the most basic problems and ways of their solution. Based on these data, the functionality can easily be expanded as requirements that You need.
Given that now for all OS starting with Windows Server 2003 R2 and Windows XP SP3 Powershell available. I think that this article is useful because it does not require from the administrator of the introduction of any additional costs, i.e. monitoring regular means.


So let's begin.

Active Directory Monitoring



All blog community dedicated to IT you can find many articles on monitoring AD, but... more than 90% of them devoted to the use of third-party apps, most of them facing a certain amount of money, which not every company is willing to give, even if not great. Probably the record for the number of articles is a product from the company NetWrix Corporation. Here and there IT professionals to paint the wonderful possibilities of this program. Yes that a sin to conceal, and he used this program in demo mode. To be honest – liked, simple and accessible, but the money is not provided, so by the end of the trial period AD again be without the “watchful” eye. I fundamentally untenable.

a Bit of tuerie


As is known in the security policies in Windows of all kinds have the ability to audit events. This audit allows you to automatically generate entries in the Event Log in the Security log. Audit can conduct several types of events, such as logon, object access, controls user accounts, change policies, and so on. A total of 9 types of events. This is a basic audit. Starting with Windows 7 and Windows Server 2008R2 the number of audit events increased to 53. You can use more details to audit only the necessary events. More information on the advanced audit policy can be read here.
But as we know those who once looked in the EventLog into the category of security – to find something – if not impossible, at least very difficult.

Idea...

And then the idea was born... since Windows is able to create an entry in the EventLog about event, then theoretically, this information can be obtained. One “but”... painfully high this log to look for the right event manually, and over time, if not to limit the log size, it can grow to tens of gigabytes, that in itself is not good. So it is necessary to solve the problem of finding the right information in EventLog'e automatically. Fortunately, each type of event (such as creating a user account) has its ID, by which it can be found.
Means for solving search problems, we only need to find the event in the log.
Powershell 2.0 has a cmdlet to work with EventLog'om Get-WinEvent.
Using this cmdlet to retrieve a specific entry in EventLog'.

Implementation

Let's say we specified in group policies that apply to domain controllers to audit events related to user accounts.
Then any action with the account created in AD, will generate an event that will create an entry in the EventLog with the specified ID. For example, when you add in domain computer on the domain controller, which produced this operation, EventLog'e in the magazine “Safety” will be the entry with ID ID=4741, which will indicate at what time, who and what kind of computer added to the domain.
For the latest event data identifier, we use the query Powershell:

the 
Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4741}

But the output format sorry want to leave a better, because a lot of extra information, such as SIDS, a lot of attributes.
TimeCreated : 12.07.2012 14:02:19 ProviderName : Microsoft-Windows-Security-Auditing Id : 4741 Message : Created the computer account. Subject: Security ID: S-1-5-21-451469775-2953165952-2320738315-500 The name of the account: administrator Account domain: DOMAIN Login ID: 0xb3acf New computer account: Security ID: S-1-5-21-451469775-2953165952-2320738315-2979 Account name: TEST$ Account domain: DOMAIN Attributes: The SAM account name: TEST$ Display name: - User principal name: - Home directory: - Home drive: - The path to the script: - Profile path: - Workstations user: - Last password set: <never> The validity of the account expires: <never> The primary group ID: 515 Allowed to delegate to: - Old UAC value: 0x0 New UAC value: 0x85 Manage user account: The account is disabled "Password not required" is enabled "The account workstation trust" is included User settings: - The SID history: - Logon hours: < value not set> The DNS name of the node: - The main service names: - For more information: Privileges -

We are interested in the most basic information: Time, who created the computer name. For this “slightly” modify our query:
the 
Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4741} | Select TimeCreated,@{n=”Operator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”ComputerName”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq “SamAccountName”}| %{$_.’#text’}}}

In the end, the result of this query will be comfortable for eyes information:
the 

TimeCreated : 12.07.2012 14:02:19
Operator : administrator
Computer name : TEST$

This query considers the event in EventLog'from as XML object. And selects the desired values, i.e. the time (TimeCreated), the Operator and the computer Name.

As you can see the code is not very readable. To work with events in Windows Eventlog there is a special class .Net, who can break down each event into substrings, and since Powershell is, in essence, the same .NET, and includes these options.

Here for example, this code parses the event substring:
the 

Get-Eventlog Security -InstanceId 4768|
Select TimeGenerated,ReplacementStrings |
% {
New-Object PSObject -Property @{
UserName = $_.ReplacementStrings[0]
IPAddress = $_.ReplacementStrings[9]
Date = $_.TimeGenerated
}
}


In the end we get something like this:
the 

Date : 12.07.2012 14:02:19
Username : administrator
IPAddress : 10.10.10.1


This code is much easier to read.

let us Consider in detail query.


option 1 (query considers the event as XLM):

If you open any entry in EventLog'e, You will see 2 tabs: General and details.
If you go to the details tab and choose the view mode: “XML Mode”, we see just the same event structure in XML.
Responsiv this event as XML and selecting out the necessary values In the section Event.EventData.Data in the parameter named SubjectUserName hiding the name of the user who created the computer and the parameter called name, SamAccountName – a name created by the computer.

option 2 (analysis under substrings):

The same way open the event as XML, find the section Event.EventData.Data, and consider the string (starting with 0) is the index of our substring. Find the line with the desired value, and believe what it on the account.

Now you need somewhere to bring this information to keep it in the console.
And even better if it will be sent to administrator, for example, mail.
In Powershell 2.0 there is a possibility of the console to establish an SMTP session and send letters.
To send a message it is necessary to specify the SMTP server, sender address, recipient address, message body, email subject, user name and password.
In the end we get the following query, which will search for the latest event ID=4741 and send mail to the administrator information.

the 

#Define all the variables for sending
$Theme = “Added a new computer to the domain” # the First line in the body to understand what it was about.
$Subject = “Creating the computer” # Subject of the message

$Server = “mail.domain.ru” # SMTP Server
$From = “audit@domain.ru” # sender Address
$To = “admin@domain.ru” # Recipient
$pass = ConvertTo-SecureString “PASSWORD” -AsPlainText-Force #the Password of the account
$cred = New-Object System.Management.Automation.PSCredential(“AUDIT” , $pass) #user Name and password
$encoding = [System.Text.Encoding]::UTF8 #Set the UTF8 encoding for correct display of information in the message body

#Actually the search query event. Select the last event with that ID. Data is written into the variable Body.

$Body=Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4741} | Select TimeCreated,@{n=”Operator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”ComputerName”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq “SamAccountName”}| %{$_.’#text’}}} | select-object -first 1

#Sending the letter.
Send-MailMessage -From $From -To $To-SmtpServer $server -Body “$Theme `n$BodyM” -Subject $Subject -Credential $cred -Encoding $encoding


Result


Saved this script to a file with a. ps1 extension, for example here: D:\Scripts\ADCompAdd.ps1
Open the Powershell console.
Typed command: Set-ExecutionPolicy Unrestricted

Press “Y” and Enter. Thus, we allow the execution of Powershell scripts on the server.
Drag the script in the console (Drag and Drop) and press Enter. Check that the script was executed without errors (i.e. in the console, no inscriptions red color did not appear). Check the mail for a new message, which contains everything we need.

Remained only as something to force to run this script at the time when the event occurred.
Here we come to the aid of “task Scheduler”.
In the scheduler there is a possibility of reaction to a specific event in the EventLog.
Create a task where the trigger is specified to respond to the event ID 4741 which appears in the Security log.
Also specify that you must run this script. To do this, specify in the “action” that you want to run the program in the “Program / script” write “powershell”. In the "Add arguments (optional)" write " -nologo -noprofile -File "D:\Scripts\ADCompAdd.ps1" "

Now test how it works established structure. Create a test computer in any OU in AD. And check email for messages.

The script is not very safe because it has the user name and password in the clear, so I strongly recommend, if you decide to use this script, use the account to send messages with a minimum set of rights.

According to my measurements the reaction time for event 1 second. Ie from the time of creation to the receipt of the letter is 1 second. Of course, assuming that you are using your local mail server and not somewhere on the Internet. There the delay may be longer. But in General not too high.

In the end, based on the script and changing the events and data that must be removed from the event, you can monitor all account activity in AD: creation, deletion, disabling-enabling, lock-unlock., add to group exceptions and so on. In General, any event monitoring, which enables you to audit Windows. Just need to change the XML filter in the query for this view the necessary event in the XML mode, choose the appropriate values and enter them into the query filter.

PS:


Here are some useful event IDs for Windows Server 2008R2:

ID=4741 Create computer in domain

ID=4743 remove the computer from the domain

ID=4728 Adding to the security group
ID=4729 Deleting from the security group

ID=4720 user Creation

ID=4726 removing a user

ID=4740 account locked

ID=4767 Unlock the account

ID= 4722 Enable account

ID=4725 Disable account
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Address FIAS in the PostgreSQL environment. Part 4. EPILOGUE

Изображение
This is the fourth and last part of the article, which contains examples of creating tables fias_AddressObjects in the database under PostgreSQL, and load data into it about adrenokrome elements of FIAS. After these steps, you can independently test the functions described in first , second , the third parts, copying and running scripts on their creation. The full text of the article is composed of 4 parts. In the first half of this part of the article provides comments to the implementation of the scripts to create tables adresovana elements and populate it with data. The second source scripts. Those readers who are only interested in the source code offered at once to go to Application . the epilogue the where to start You should start with visiting the official website of the Federal Tax Service of the section "Federal information address system" (FIAS) of the page Updates . Upload on your PC latest update or the full database FIAS, if you ...
Далее...

PostgreSQL: Analytics for DBA

Many users of PostgreSQL know that the server at the time of their work collects a variety of statistics, but not everyone knows that it is useful to analyze and how to extract it. This small Toolkit collected some useful queries that give some idea about how to use this "hidden knowledge", which constantly accumulates. These queries can be used to monitor the status of PostgreSQL (manually or with plugins for monitoring systems like Nagios, Cacti or Zabbix), to search for bottlenecks in the server and many other similar tasks. Remember that this is only the tip of the iceberg; in the documentation you can find descriptions of several dozen system ideas that can also be useful for the PostgreSQL administrator. For correct work need to enable Toolkit options stats_block_level and stats_row_level in postgresql.conf and set the parameter of stats_reset_on_server_start in its sole discretion. If each time you restart the PostgreSQL server you change some important configu...
Далее...