| Author | Messages | |
chaselton
Posts:94
 | | 03/11/2013 4:21 PM |
| The big problem is that the NTLMv1 events from 2008 R2 servers are not recorded in the event logs on the domain controllers while the NTLMv1 events from the 2003 servers are. The event subscription is just a way to collect the event logs in the domain in one place.
sent from mobile
-------- Original message --------
From: Brian Arkills <barkills@xxxxxxxxxxxxxxxx>
Date:
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Audit Problem: NTLMv1 Logon Events from 2003, Not 2008 Member (IIS) Servers
I'm a little confused about what isn't working correctly from your point of view. I've re-read this thread a couple times, and I'm not sure which of the following it is that you are interested in (and maybe it's both).
Is it that the NTLM info events aren't showing up in the logs of the DCs? Or that the event subscription on the member servers where the NTLM events happen doesn't send the events that do get logged?
In terms of other things to consider, I wonder if the netlogon log might be useful. It doesn't have event subscription functionality, but it might have something useful to you in it.
From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Cynthia Haselton
Sent: Monday, March 11, 2013 4:21 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Audit Problem: NTLMv1 Logon Events from 2003, Not 2008 Member (IIS) Servers
Again, if anyone has info...even if it's about what or where to look next...it would be greatly appreciated.
sent from mobile
-------- Original message --------
From: Cynthia Haselton <chaselton@xxxxxxxxxxxxxxxx<mailto:chaselton@xxxxxxxxxxxxxxxx>>
Date:
To: activedir@xxxxxxxxxxxxxxxx<mailto:activedir@xxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Audit Problem: NTLMv1 Logon Events from 2003, Not 2008 Member (IIS) Servers
Update:
I've confirmed that a second 2008 R2 server logs NTLMv1 events (ID 4624) locally but those same events are not logged at the domain controller.
That second 2008 R2 server also logs Credential Validation events on the domain controllers.
I wonder if this is a change in auditing functionality, intended to be an enhancement?
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx<mailto:activedir-owner@xxxxxxxxxxxxxxxx> [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Cynthia Haselton
Sent: Thursday, March 07, 2013 12:28 PM
To: activedir@xxxxxxxxxxxxxxxx<mailto:activedir@xxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Audit Problem: NTLMv1 Logon Events from 2003, Not 2008 Member (IIS) Servers
The subscription filter is one that was posted on a couple of technet blogs:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624) or (EventID=4625)] and EventData[Data[@Name='LmPackageName']!='-'] and EventData[Data[@Name='LmPackageName']!='NTLM V2']]</Select>
</Query>
</QueryList>
One more audit related piece of info before I drop it entirely:
Turning on Credential Validation (on the domain controller policy and on the member server) does capture credential validations from the server in the domain controller logs...which I've observed by creating a separate subscription for event IDs related to Credential Validation. It doesn't report the NTLM version of course, but the fact that this event is being captured may be a clue.
-----Original Message-----
From: activedir-owner@xxxxxxxxxxxxxxxx<mailto:activedir-owner@xxxxxxxxxxxxxxxx> [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Steve Kradel
Sent: Thursday, March 07, 2013 9:53 AM
To: activedir@xxxxxxxxxxxxxxxx<mailto:activedir@xxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Audit Problem: NTLMv1 Logon Events from 2003, Not 2008 Member (IIS) Servers
What exactly does your subscription filter look like? Does it include any parameters beyond event ID? Since you note that event 4624 is being captured on the 2008R2 hosts but is simply not forwarded, I wouldn't focus any more attention on the audit policy itself.
--Steve
On Thu, Mar 7, 2013 at 10:10 AM, Cynthia Haselton <chaselton@xxxxxxxxxxxxxxxx<mailto:chaselton@xxxxxxxxxxxxxxxx>> wrote:
> Update:
>
> To add to the mystery I checked the auditing settings on both the 2008
> R2 member server I'm troubleshooting and the domain controller using
> auditpol /get /category:* after reading this article:
> http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effect
> ive-audit-policy-in-windows-7-and-2008-r2.aspx
>
>
>
> Unless I'm reading the output wrong, auditing is set correctly to pick
> up
> NTLMv1 from the member server to the event subscription I set up
> (pulling
> NTLMv1 from all of the domain controllers)..
>
>
>
> Any help would be much appreciated...
>
>
>
> From: activedir-owner@xxxxxxxxxxxxxxxx<mailto:activedir-owner@xxxxxxxxxxxxxxxx>
> [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Cynthia
> Haselton
> Sent: Wednesday, March 06, 2013 9:46 AM
> To: 'ActiveDir@xxxxxxxxxxxxxxxx'
> Subject: [ActiveDir] Audit Problem: NTLMv1 Logon Events from 2003, Not
> 2008 Member (IIS) Servers
>
>
>
> We have a 2008 R2 forest that we upgraded from 2003 by promoting 2008
> R2 DCs and demoting the old ones. I'm assuming this means that the
> old audit policy...from the legacy Security Settings>Local
> Policies>Audit Policies node...was carried over. That policy was set
> Policies>to
> Success/Failure for both account logon and logon. We're auditing
> NTLMv1 in our environment using a combination of scheduled scripts and
> an event subscription that pulls NTLMv1 events from all of the domain controllers in the forest.
>
> It appears that NTLMv1 events (id 4624) from 2003 servers are caught
> in this filter but those same events from 2008 R2 servers are not. If
> I RDP to a
> 2008 R2 server and create a custom view using the same filter I used
> in the event subscription, I can see the NTLMv1 events that aren't
> being captured in the event subscription. The two servers I'm
> troubleshooting with both run IIS...the 2003 and 2008 R2 flavors.
>
> I tried configuring Advanced Auditing policies on the OU containing
> the 2008
> R2 servers. I set the "Force audit policy subcategory..." setting to
> Enabled, and configured the Logon subcategory, Audit Logon to Success.
> No change. I backed out of the advanced auditing policy
> configuration, and set the legacy policies to Success/Failure. No change.
>
> Has anyone run into something like this? Shouldn't I be able to catch
> NLMv1 events from 2008 R2 servers in the event subscription I set up?
>
> Cynthia J. Haselton
>
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
| | | |
|
|