Detect interactive login's

This topic contains 4 replies, has 2 voices, and was last updated by Avatar RicklesP 3 months, 2 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    confuseis
    Participant
    #617873

    Hi

    We are using a Server 2008 R2 DFL

    I’m looking to detect “interactive” logins via a powershell script however I don’t see an interactive logon property on user accounts.

    I have searched online and see a group policy to show interactive logon messages but didn’t see clearly how to enable interactive login auditing of user accounts.

    From what I can gather id set a policy on domain controllers telling them to record interactive logins and thereafter I can use power shell to fetch this information.

    I cant seem to find the specific steps to toggle the auditing of interactive logins to on within group policy.

    Am I on the right track ?

    Avatar
    RicklesP
    Participant
    #617943

    Active Directory deals with all logins, interactive or otherwise. What you want to do is monitor the security logs for all successful logins, but inside each one of those events will be a numeric value which tells you what type of login it was: interactive, RDP, etc. Using our old friend Google, a search for “active directory login types” comes up with a wealth of info about this. The first link gives you a list of login types vs their numerical values as seen in the events:
    1 – Interactive. Console Logons basically.
    2– Network. This logon happens when you’re accessing file shares using SMB for example.
    3– Batch. …
    4– Service. …
    5– Unlock. …
    6– Network Cleartext. …
    7– New Credentials. …
    8– Remote Interactive.

    Use your script to search the Security log on each DC you have, and only record the events with Logon Type = ‘1’. Of course, this assumes you have success auditing turned on for your security info, so there’s an event log to read from.

    Avatar
    confuseis
    Participant
    #618205

    Hi

    Ive enabled the group policy to audit the logon events and afterwards I’m able to get the logon detail from powershell including the logon type 2. Representing the interactive logon. On the workstation.

    using:

    $Event = Get-winevent -FilterHashtable @{logname=’security’; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 2}

    When I run the script on the server however I dont see that it is aware of the workstation login and I cannot find the same result there.

    The idea is to have visibility of all workstation logins.

    Would I be correct assuming the logs are only held the workstation itself and not passed to the DC ?

    If that is so then would the best strategy be to query the log into remotely against each workstation ?

    So powershell has to fetch of each and every workstation not from the DC ?

    Avatar
    RicklesP
    Participant
    #618207

    When you have a domain setup, authentication on a workstation involves security events on the DC. You shouldn’t have to script every workstation to track logins. I’ll have to have a look at my domain system at work to see what your script instruction will reveal. I’m assuming you can see that event if you look at the security logs? If you can, but your script isn’t giving you results for that event, then the script command needs adjustment. My customer site uses a 3rd-party tool for log event monitoring, so I haven’t had to try Powershell for extracting this.

    As well, if you’re running server 2008R2 or newer, with Win7 or newer, you should be able to use ‘event forwarding’ from your clients to pretty much any server to hold that info, so you still wouldn’t need to run your captures against the clients. Just scan what’s recorded on the server.

    If you’re interested in tracking local machine admin logins as well as domain user/domain admin, then you may have no choice but to have your script solution running on the clients. A login is a check of creds against a security catalog. In a domain, all logins check creds agaists Active Directory. But even in a domain, if you use the local machine administrator creds, you’re using that machine’s own security catalog, not the domain. Regarding my earlier comment about event forwarding, I assume your forwarding rule would include such events in this case, but again, I’ve never tried it.

    Avatar
    RicklesP
    Participant
    #618336

    Apologies, confuseis, but my checking shows that you’ll either have to check each client machine, or use the Event Forwarding capability available since server 2008 to get the clients to forward your desired events to the Subscription host as a central collection, and query that store. As an aid, Google has found a site which I think will explain things very well about Event Forwarding: “https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/”.

    Your script works as written on a client’s Security log, but that same event is not duplicated on the DC. There are other events written on the DC, but if you use roaming profiles and profile folder redirects, all of those access credential checks are logged in the same time interval, so you end up with a huge load of events for all of that activity.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.