{"id":1538,"date":"2016-08-05T10:18:38","date_gmt":"2016-08-05T00:18:38","guid":{"rendered":"https:\/\/girl-germs.com\/?p=1538"},"modified":"2016-08-05T16:49:32","modified_gmt":"2016-08-05T06:49:32","slug":"domain-controller-security-logs-how-to-get-at-them-without-being-a-domain-admin","status":"publish","type":"post","link":"https:\/\/girl-germs.com\/?p=1538","title":{"rendered":"Domain Controller Security Logs &#8211; how to get at them *without* being a Domain Admin"},"content":{"rendered":"<p>So, was (semi)recently tasked with getting rid of service accounts out of our Domain Administrators group because, <a href=\"https:\/\/girl-germs.com\/?p=459\">as you know<\/a>, service accounts in Domain Admins group is BAAAAD! One of the accounts that was there was for our SIEM, to get at Domain Controller security event logs &#8211; somewhat important to keep and log and monitor. However, for expediency sake, the service account for this was added to the Domain Admins group&#8230;and now we&#8217;re trying to get\u00a0it out of there.<\/p>\n<p>Well&#8230;let me tell you, it&#8217;s easier said than done!<\/p>\n<p>I should say that this information isn&#8217;t\u00a0<strong>new<\/strong> information &#8211; it&#8217;s pretty standard, but I found it scattered around a <a href=\"https:\/\/blogs.technet.microsoft.com\/janelewis\/2010\/04\/30\/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008\/\">few<\/a> <a href=\"https:\/\/www.manageengine.com\/products\/active-directory-audit\/help\/admin\/domain-settings\/authentication-for-collecting-audit-data.html\">different <\/a>places, so thought I&#8217;d collate what I&#8217;d found in one place for others and for future reference for myself!<\/p>\n<p>Please bear in mind that these are the permissions required for the SIEM we use &#8211; you might find that what you&#8217;re trying to do needs more, or perhaps needs less. Ours is pulling logs across the network &#8211; if yours pushes logs or is only accessing them locally, it might be different. Remember, least privilege and all that jazz.<\/p>\n<hr \/>\n<p><strong>Service Account<\/strong> &#8211; so, first things first, create a service account that&#8217;s going to have access &#8211; name it properly, add a description, all that good stuff. I&#8217;ll refer to the service account as (unsurprisingly) &lt;your service account&gt; in this run through.<\/p>\n<p>This only needs to be done once for the domain.<\/p>\n<p><strong>Addition to Domain Groups<\/strong> &#8211; add &lt;your service account&gt;\u00a0account to the following Domain groups:<\/p>\n<ul>\n<li><em>Event Log Readers<\/em> &#8211; this one should be pretty obvious, it needs to read the Event Log!<\/li>\n<li><em>Distributed COM Users<\/em> &#8211; had to do some research for this one (not ashamed to admit!) to find out why, this is because a number of SIEM&#8217;s are pulling information across the network (server not pushing) so the service account will need to be able to grab the Event Log information from the server (someone correct me if I&#8217;m wrong on this!)<\/li>\n<li><em>Remote Management Users<\/em> &#8211; similar to DCOM Users, service account is going to need to remotely manage the event log, so will need to be in this group in order to do just that<\/li>\n<\/ul>\n<p>This only needs to be done once for the domain.<\/p>\n<p><strong>Change to Group Policy<\/strong> &#8211; there is a slight GPO change that will need to be done:<\/p>\n<ul>\n<li>You&#8217;ll need to modify the GPO you have set up for your Domain Controllers &#8211; this\u00a0<strong>*should*<\/strong> be a different policy to the &#8220;Default Domain Controller Policy&#8221;<\/li>\n<li>Modify:<br \/>\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment &#8211; &#8220;Manage auditing and security log&#8221; (add &lt;your service account&gt; to this)<\/li>\n<li>This may not be required for all, but it was required for our SIEM<\/li>\n<\/ul>\n<p>This only needs to be done once for the domain.<\/p>\n<p><strong>WMI Permissions<\/strong> &#8211; you will\u00a0need to modify the following within WMI (this set of instructions is for Windows Server 2012 R2):<\/p>\n<ul>\n<li>Open &#8216;Computer Management&#8217;<\/li>\n<li>Expand out &#8216;Services and Applications&#8217;<\/li>\n<li>Click on &#8216;WMI Control&#8217;<\/li>\n<li>Right-click and select &#8216;Properties&#8217;<\/li>\n<li>Select the &#8216;Security&#8217; tab<\/li>\n<li>Click on &#8216;Root&#8217;<\/li>\n<li>Click on &#8216;Security&#8217; (bottom right corner)<\/li>\n<li>Click &#8216;Add&#8230;&#8217; and add &lt;your service account&gt;<\/li>\n<li>Give this account the following rights:\n<ul>\n<li><em>Execute Methods<\/em> &#8211; may be required, suggest testing without this permission first<\/li>\n<li><em>Provider Write<\/em> &#8211; may be required, suggest testing without this permission first<\/li>\n<li><em>Enable Account<\/em> &#8211; the bare minimum of what&#8217;s required for most products that want your Event Logs (it appears)<\/li>\n<li><em>Remote Enable<\/em> &#8211; may be required, suggest testing without this permission first<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This needs to be done on\u00a0every Domain Controller*.<\/p>\n<p><strong>Registry changes<\/strong> &#8211; you&#8217;ll need to modify the registry in the following ways:<\/p>\n<ul>\n<li>Modify the permissions on<br \/>\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security &#8211; give &lt;your service account&gt; &#8216;Read&#8217; permissions<\/li>\n<li>Modify the following registry key:\n<ul>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security\\CustomSD<\/li>\n<li>Add the following to the end:<br \/>\n(A;;0x7;;;S-1-5-32-562)<\/li>\n<li>This is adding the <a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/243330\">Distributed COM Users (S-1-5-32-562) <\/a>to be able to do magic things to the Security\u00a0event log<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Now, I found that I also had to run the following (maybe I hadn&#8217;t done the registry stuff right the first time) but may:<\/p>\n<p><code>wevtutil sl security \/ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x7;;;S-1-5-32-562)<\/code><\/p>\n<p>Now, this\u00a0*should* do the same thing as the modification of the registry\u2026I believe\u2026but it didn&#8217;t for me. Both actions were required, as a check of \u2018wevtutil gl security\u2019 didn&#8217;t\u00a0show the listing as in the registry key until the \u2018wevtuil sl security\u2019 command was run.<\/p>\n<p>This needs to be done on\u00a0every Domain Controller*.<\/p>\n<p><strong>Service restarts<\/strong> &#8211; the following restarts are required, unless you&#8217;re planning on restarting the server:<\/p>\n<ul>\n<li>&#8220;Windows Remote Management (WS-Management)&#8221; service<\/li>\n<li>&#8220;Windows Event Log&#8221; service<\/li>\n<\/ul>\n<p>This needs to be done on\u00a0every Domain Controller*.<\/p>\n<p><span style=\"text-decoration: underline;\">*Note<\/span> &#8211; For the things that are marked as &#8220;every Domain Controller&#8221; &#8211; this can be scripted and done via GPO&#8217;s, but due to the small number of machines involved and our aversion to scripts in GPO&#8217;s, we preferred to do this manually.<\/p>\n<hr \/>\n<p>So that&#8217;s it &#8211; from what I&#8217;ve found, this is what was required for a service account tied to a SIEM to be able to view and pull Security event log data. I would also assume that this would be very similar for other logs (e.g. Application or System), just with some minor modifications.<\/p>\n<p>If you feel I&#8217;ve missed something, or feel I&#8217;ve done something wrong, let me know. Always open to comments and criticisms!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So, was (semi)recently tasked with getting rid of service accounts out of our Domain Administrators group because, as you know, service accounts in Domain Admins group is BAAAAD! One of the accounts that was there was for our SIEM, to get at Domain Controller security event logs &#8211; somewhat important to keep and log and monitor. However, for expediency sake,&#8230; <a href=\"https:\/\/girl-germs.com\/?p=1538\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"New blog post! \"Domain Controller Security Logs - how to get at them *without* being a Domain Admin\"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[5,328,2,7],"tags":[344,388,389,387,391,390],"class_list":["post-1538","post","type-post","status-publish","format-standard","hentry","category-sys-admin","category-techstuff","category-technology","category-work","tag-domain-controllers","tag-event-logs","tag-events","tag-logging","tag-service-account","tag-siem"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2Tmk1-oO","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts\/1538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1538"}],"version-history":[{"count":6,"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts\/1538\/revisions"}],"predecessor-version":[{"id":1553,"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts\/1538\/revisions\/1553"}],"wp:attachment":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}