As the Microsoft continues to level up their products with the new features & technology, security too grew up.
Due considering the high user pool of windows OS, Microsoft continues to grew up with security at OS level.
And same is the case with Windows Server 2008.
With Server 2008 Microsoft has added extra layer of security to the OS boundary.
Accessing any critical information in 2k8 becomes more harder & so the logs.
Event logs are the critical component of windows to track the activities & loopholes within the system.
With this extra layer of security it has some extra edge constraints to configure for fetching the security logs in SSIM.
while integrating Win 2k8 with SSIM there is a possibilities of using local user as well as domain user.
due to some security policies most of the enterprise environments go for using domain account for having centralized
control over the ID.
Below are the std. commands needs to be followed for providing read rights for security logs to particular domain
Note:- Command may vary as per your environment requirement.
Winrm quickconfig
winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/service/Auth @{Basic="false"}
winrm set winrm/config/Winrs @{AllowRemoteShellAccess="false"}
winrm configSDDL http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
winrm get winrm/config
winrm enumerate winrm/config/Listener
net localgroup "Event Log Readers" /add "NT Authority\Network Service"
wevtutil gl security
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;NS)
netsh firewall add portopening TCP 5985 "Windows Remote Management"
Basically these set of commands are used to assign read rights for security logs to domain user.
after this set of command your user will be ready to read the logs for target win 2k8 Box.
Now the role of domain controllers comes into the picture.
Whenever you configure your sensor under SSIM console, this config will be pushed to the Agent & vista collector.
And this vista collector will now use this user id & password specified to authenticate against DC.
Authentication request generated by collector will go with the highest level of encryption available (Generally AES).
Encryption is must requirement to read the security logs from win 2k8 server as per the Microsoft.
Now it all depends on your DC how it response to your request.
all depends on Domain functional level.
1) If your domain functional level is Windows 2008, then by default it will accept all types of encryption request from collector machine.
2) If your domain functional level is windows 2003, then it will reject your authentication request by default.
B'coz your default authentication request is with AES encryption type & windows 2003 functional level does not support it.
It only supports Rc4-hmac encryption type.
So you need to configure your collector to carry authentication request with Rc4-hmac type.
The following property information must be added to the config.xml of the collector:
<property name="props">
<props>
<prop key="EncryptionTypes">rc4-hmac</prop>
</props>
</property>
But in environment, it may happen that your domain won't be able to authenticate with DC due to some proprties.
In this case following changes may be required at DC User level to work it with proper kerberos authentication method.
Following are the changes that you need to do.
- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> attribute editors --> select msDS-SupportedEncryptionTypes and insert the value 31
- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> attribute editors --> userAccountControl --> set the value to 512
- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> account --> make sure that "Use kerberos DES encryption" and "Do not require Kerberos preauthentication" are NOT selected
- reset user's password (you can set the same as the existing one) and make sure that the option "user must change password at first log on" is not selected
That's it!!
Now your DC user is ready to authenticate with DC using any kerberos encryption authentication menthod.