Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering.

Published byStewart Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering."— Presentation transcript:

1 Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com Event Filtering and Searching with XPath and PowerShell SCOM ACS bohužel nebude, zato bude víc ostatního

2 Auditing (2000+)

3 Granular auditing (2008/Vista+)

4 Event viewer

5

6

7 Event viewer and XML

8 XPath  XML "searching" language  Quick examples //State[@code='CZ'] //State[population>20] /States/State[starts-with(display, 'C') and @continent='NAM'] //State[position()=3] /States/*[starts-with(display, 'C')] //display[starts-with(., 'C')] //display[starts-with(text(), 'C')]

9 XPath  Event viewer must replace with > must replace <= with <= can use only position(), Band() and timediff() today: TimeCreated[timediff(@SystemTime) <= 86400000]]  WEVTUTIL normal operators >, >=, <=, != …

10 Logon auditing  Account Logon Event –"authentication event" –when an account database validates credentials  Logon Event –"session event" –every time an Access Token is created or closed

11 NTLM and Schannel network logon DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ SMB D/COM In-band NTLM hash Pass-through NTLM hash D/COM Dynamic TCP

12 Kerberos network logon (basic principle) DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic TGT: User In-band TGS: Server

13 Auditing (Interactive Logon) SQL FS WFE SQL FS WFE DC Client Account Logon 1 Logon 2

14 Logon types TypeValue Interactive2 Network3 Batch4 Service5 Unlock7 NetworkCleartext8 NewCredentials9 RemoteInteractive10 CachedInteractive11 CachedRemoteInteractive12 CachedUnlock13

15 Status codes StatusValue STATUS_WRONG_PASSWORD0xC000006A STATUS_PASSWORD_RESTRICTION0xC000006C STATUS_LOGON_FAILURE0xC000006D STATUS_ACCOUNT_RESTRICTION0xC000006E STATUS_INVALID_LOGON_HOURS0xC000006F STATUS_INVALID_WORKSTATION0xC0000070 STATUS_PASSWORD_EXPIRED0xC0000071 STATUS_ACCOUNT_DISABLED0xC0000072 STATUS_LOGON_NOT_GRANTED0xC0000155 STATUS_LOGON_TYPE_NOT_GRANTED0xC000015B STATUS_ACCOUNT_EXPIRED0xC0000193 STATUS_PASSWORD_MUST_CHANGE0xC0000224 STATUS_ACCOUNT_LOCKED_OUT0xC0000234

16 Download err.exe  version 2008 –http://www.microsoft.com/en-us/download/details.aspx?id=985  most up-to-date version –SDK for Windows 8.1 –http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

17 Auditing (Network session) SQL FS WFE SQL FS WFE DC Client Account Logon 1 Logon 2

18 immediately at logoff Auditing (Interactive logoff) SQL FS WFE SQL FS WFE DC Client Logoff1

19 SQL FS WFE SQL FS WFE when TCP connection closed Auditing (Network session) DC Client Logoff1

20 PowerShell notes  Get-WmiObject -Computer -Query  EventCode, InsertionStrings

21 Timestamps in LDAP  pwdLastSet  lastLogon –non-replicated  lastLogonTimestamp  lockoutTime  badPasswordTime –non-replicated  accountExpires

22 Logon timestamps Client DC lastLogon 11:38 lastLogon 9:00 lastLogon - -

23 Logon timestamps (2003 DFL) Client DC lastLogon 11:38 lastLogon 9:00 lastLogon - - lastLogonTimestamp 11:00 lastLogonTimestamp 11:00 lastLogonTimestamp 11:00

24 lastLogonTimestamp  Requires 2003 domain functional level  Updated only once per 14-random(5) days –DC=idtt,DC=local –msDS-LogonTimeSyncInterval –1+ – minimum without randomization –5+ – randomization starts –14 – the default –...

25 Authentication failures Client PDC pwd2 DC pwd2 DC pwd1

26 Authentication failures Client DC badPasswordCount 3 3 2 2 PDC badPasswordCount 7 7 lockoutTime DC badPasswordCount 2 2

27 Searching in LDAP  (name=m*)  (&(name=m*)(c=cz))  (|(c=cz)(c=de))  (!c=cz)  (whenCreated>=20080323205258.0+1200)  (whenCreated>=20080323205258.0Z)  (pwdLastSet>=128962296000000000)  (userAccountControl:1.2.840.113556.1.4.803:=2)

28 Powershell and DateTime  get-date  [DateTime]::Parse("2011-05-28")  (get-date).AddDays(-50)  ((get-date) – [DateTime]::Parse("1601-01-01")).Ticks  ([DateTime]::Parse("2010-11-28") – [DateTime]::Parse("1601-01-01")).Ticks  ((get-date).AddDays(-50) – [DateTime]::Parse("1601-01- 01")).Ticks

29 Kurzy Počítačové školy Gopas na www.gopas.cz GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník. Počítačová škola Gopas – Vaše IT škola života

Download ppt "Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering."

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.

Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.

Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition

Similar presentations

Ads by Google