As such, it's a good idea to get reports of when a lockout occurs of User AD accounts. Even if only so that an Administrator can see that the same account is repeatedly locked out, and thus potentially the target of a repeated password guess attack.
There are Active Directory Tools and Log Reporting Suites that can do great job of this task and a whole lot more, but for smaller shops this might be too expensive or complex to install and maintain.
A simple control, would a small Windows Power Shell script that reports via email, all Active Directory User Lockout Events in the last 24 hours. If the same account is repeatedly locked out, you either have a very distressed user or a potential password compromise attack.
The following is designed for Windows Server 2003 Domains.
Windows Power Shell (2.0) Script: LOCKOUT-ALERT.PS1
# get start date
$start = get-date
# get 644 events from server ad1 for last 24 hours $msg_ad1 = get-eventlog -log security -computer ad1 | where-object {$_.EventID -match "^644" -AND $_.TimeGenerated -gt (get-date).AddHours(-24) } | Format-List | Out-String
$msg_ad2 = get-eventlog -log security -computer ad2 | where-object {$_.EventID -match "^644" -AND $_.TimeGenerated -gt (get-date).AddHours(-24) } | Format-List | Out-String
# ... repeat for each server in your domain ...
# get start date
$end = get-date
$msg = $msg_ad1 + $msg_ad2
if ($msg) { # if anything to report
$msg = "Script run on hostname. " + $start.ToString() + $msg + $end.ToString()
Send-MailMessage -To "itadmin@mydomain.com" -Subject "Lockout Alerts" -Body $msg -SmtpServer 10.10.10.10 -From "lockout@domain.com"
}
# get 644 events from server ad1 for last 24 hours $msg_ad1 = get-eventlog -log security -computer ad1 | where-object {$_.EventID -match "^644" -AND $_.TimeGenerated -gt (get-date).AddHours(-24) } | Format-List | Out-String
$msg_ad2 = get-eventlog -log security -computer ad2 | where-object {$_.EventID -match "^644" -AND $_.TimeGenerated -gt (get-date).AddHours(-24) } | Format-List | Out-String
# ... repeat for each server in your domain ...
# get start date
$end = get-date
$msg = $msg_ad1 + $msg_ad2
if ($msg) { # if anything to report
$msg = "Script run on hostname. " + $start.ToString() + $msg + $end.ToString()
Send-MailMessage -To "itadmin@mydomain.com" -Subject "Lockout Alerts" -Body $msg -SmtpServer 10.10.10.10 -From "lockout@domain.com"
}
Step to Install & Configure Event 644 Lockout Monitoring:
- Ensure that your Security Event log on each server is set large enough to hold well over 24 hours of logging.
- Install PowerShell (http://support.microsoft.com/kb/968929) if not already installed.
- Start > Programs > Accessories > Windows Power Shell > Windows Power Shell
- In order to run PowerShell scripts you need to execute the following command within PowerShell :> Set-ExecutionPolicy Unrestricted
- Create a batch script to run the PowerShell script, one-line: c:\windows\system32\windowspowershell\v1.0\powershell.exe -NoLogo -NonInteractive c:\apps\ps\lockout-alert.ps1
- Schedule the script to run once a day.
No comments:
Post a Comment