Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator | |
Logon auditing Advanced Windows Security
Auditing (2000+)
Granular auditing (2008/Vista+)
Logon auditing Account Logon Event "authentication event" when an account database validates credentials Logon Event "session event" every time an Access Token is created or closed
Auditing (Interactive Logon) SQL FS WFE SQL FS WFE DC Client Account Logon1 Logon2
Kerberos Failure Codes StatusName 0x0KDC_ERR_NONE 0x1KDC_ERR_NAME_EXP 0x2KDC_ERR_SERVICE_EXP 0x3KDC_ERR_BAD_PVNO 0x4KDC_ERR_C_OLD_MAST_KVNO 0x5KDC_ERR_S_OLD_MAST_KVNO 0x6KDC_ERR_C_PRINCIPAL_UNKNOWN 0x7KDC_ERR_S_PRINCIPAL_UNKNOWN 0x8KDC_ERR_PRINCIPAL_NOT_UNIQUE 0x9KDC_ERR_NULL_KEY 0xAKDC_ERR_CANNOT_POSTDATE
Kerberos Failure Codes StatusName 0xBKDC_ERR_NEVER_VALID 0xCKDC_ERR_POLICY 0xDKDC_ERR_BADOPTION (delegation not enabled) 0xEKDC_ERR_ETYPE_NOTSUPP (etype not supported) 0xFKDC_ERR_SUMTYPE_NOSUPP 0x10KDC_ERR_PADATA_TYPE_NOSUPP 0x11KDC_ERR_TRTYPE_NO_SUPP 0x12KDC_ERR_CLIENT_REVOKED (disabled) 0x13KDC_ERR_SERVICE_REVOKED … 0x17KDC_ERR_KEY_EXPIRED (password expired, even when using smart cards) 0x18KDC_ERR_PREAUTH_FAILED (bad password or invalid certificate) 0x19KDC_ERR_PREAUTH_REQUIRED 0x25KRB_AP_ERR_SKEW (clock skew)
Logon types TypeValue Interactive2 Network3 Batch4 Service5 Unlock7 NetworkCleartext8 NewCredentials9 RemoteInteractive10 CachedInteractive11 CachedRemoteInteractive12 CachedUnlock13
Logon sessions gwmi win32_LogonSession | select n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } }, AuthenticationPackage, LogonType, n = 'Login' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } n = 'SID' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } }
Auditing (Network session) SQL FS WFE SQL FS WFE DC Client Account Logon1 Logon2
Status codes StatusValue STATUS_WRONG_PASSWORD0xC000006A STATUS_PASSWORD_RESTRICTION0xC000006C STATUS_LOGON_FAILURE0xC000006D STATUS_ACCOUNT_RESTRICTION0xC000006E STATUS_INVALID_LOGON_HOURS0xC000006F STATUS_INVALID_WORKSTATION0xC STATUS_PASSWORD_EXPIRED0xC STATUS_ACCOUNT_DISABLED0xC STATUS_LOGON_NOT_GRANTED0xC STATUS_LOGON_TYPE_NOT_GRANTED0xC000015B STATUS_ACCOUNT_EXPIRED0xC STATUS_PASSWORD_MUST_CHANGE0xC STATUS_ACCOUNT_LOCKED_OUT0xC
Download err.exe version most up-to-date version SDK for Windows 8.1
immediately at logoff Auditing (Interactive logoff) SQL FS WFE SQL FS WFE DC Client Logoff1
SQL FS WFE SQL FS WFE when TCP connection closed Auditing (Network session logoff) DC Client Logoff1
Děkuji za pozornost GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator | |