All Products
Search
Document Center

:Brief description of security audit logs in ECS instances of Windows

Last Updated:May 13, 2022

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.

Overview

This topic describes the security audit logs of ECS instances in Windows.

Details

Take note of the following items:

  • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
  • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
  • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

Account audit can be enabled for Windows systems. The following are about log examples, log description, system logon log analysis, common security event ID description, and log audit policy adjustment.

Sample logs

  1. Choose Control Panel > Administrative Tools > Event Viewer > Windows Logs > Security.
  2. The following is an example of audit success and failure logs.
    • The following example shows the logs of successful moderation.
      You have successfully logged on to your account 
      Topic:
      Security ID: SYSTEM Account name: iZ********Z$
      Account domain: WORKGROUP Logon ID: 0x3e7
      Logon type: 10
      New logon: Security ID: iZ********Z\admin Account name: admin Account domain: iZ********Z Login ID: 0x754404f
      Login GUID: {00000000-0000-0000-0000-000000000000} Process information:
      Process ID: 0xf50 Account name: C:\Windows\System32\winlogon.exe
      Network information: Work station name: iZ23kpfre8lZ
      Source network address: 42.120.*.* Source port: 10694
      Detailed authentication information: Logon process: User32
      Authentication packet: Negotiate Delivery service: - Packet name (NTLM only): - Key length: 0
      This event is generated on the accessed computer after the login session is created.
    • The following example shows the logs of audit failures.
      Account login failed. 
      Subject: Security ID: NULL SID Account Name: - Account domain: - Logon ID: 0x0
      Logon type: 3 Account that failed to log in: Security ID: NULL
      SID Account name: administrator Account Domain: Public-Win7
      Failure information: Failure cause: An unknown username or password is invalid.
      Status: 0xc000006d Sub-status: 0xc0000064 Process information:
      Calling process ID: 0x0 Calling process name: - Network information:
      Name of work station: Piblic-WIN7 Source network address: - Source port: - Detailed authentication information:
      Login process: NtLmSsp Authentication packets: NTLM Delivery service: - Packet name (NTLM only):
      - Key length: 0 This event is generated on the computer trying to access when the login request fails.

Log description

The following table describes the common fields in related logs.

Application scope

Field

Description:

Overview

"successful login account"

Log overview

Topic

-

This field indicates the account on the local system that requested login. This is usually a service (such as the Server service) or a local process (such as Winlogon.exe or Services.exe).

-

Security ID

SID, security identifier is used to uniquely identify a security principal or security group. A security principal can represent any entity that can be authenticated by an operating system, such as a user account, a computer account, or a thread or process, in the security context of a user or computer account. Example: iZ23kpfre8lZ\admin

For more information, see Overview.

-

Account Name

Concepts related to security domains. Usually, it is the last corresponding field of the above security ID (if it is a user), such as the corresponding SID, the corresponding account name is admin.

Note: If you use a workgroup environment, the corresponding value is [$Hostname], such as iZ23kpfre8lZ$,[$Hostname] is the computer name.

-

Account domain

Security domain-related concepts. Related resources belong to the security domain. If it is a security group, it is a WORKGROUP; if it is a domain environment, it is a corresponding domain name.

-

Logon ID

Internal code.

The type of the logon.

-

Indicates the type of login that occurred. Common categories and their code descriptions:

2 - Interactive:

The user is logged in through the operating system console (console) port on the local keyboard. However, through KVM (traditional physical data center) or VNC-based login (such as the management terminal of cloud server ECS), although it is based on the network, it is also an interactive login.

3 - Network:

Access by users or computers through the network. The most common scenario is a shared folder connected to the server, a shared printer, and other shared resources. This type is also recorded when logging in to IIS over the network, but IIS login in basic authentication mode is an exception, which will be recorded as type 8.

4 - Batch (started as a batch job):

When Windows runs a scheduled task, the Scheduled Task Service will first create a new login session for the task so that it can run under the user account configured for the scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, you can also generate type 4 login events when you start work. Therefore, type 4 login usually indicates the start of a scheduled task, but it may also be a malicious user guessing the user password through the scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also be caused by the failure to change the user password of the scheduled task synchronously, such as the user password changed and forgot to change it in the scheduled task.

5 - Service (Windows service started by service controller):

Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for that specific user, which will be recorded as type 5. Therefore, type 5 login usually indicates the start of a service. Failure type 5 usually indicates that the user's password has changed and has not been updated here. Of course, this may also be caused by a malicious user's password guess, but this possibility is relatively small, because creating a new service or editing an existing The service requires an administrator or serversoperators identity by default, and a malicious user of this identity already has sufficient permissions without having to guess the service password.

7 - Unlock (screen saver unlocked):

The Windows screensaver unlock operation is recorded as a type 7 login. A failed type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer.

8 - NetworkCleartext (use plaintext credentials for network login):

This login indicates that this is a type 3 network login, but the password for this login is transmitted in clear text on the network. Windows Server Services (LanmanServer) does not allow connections to shared folders or printers through plaintext authentication. This login type is only marked when logging in from an ASP script that uses Advapi, or when a user logs in to IIS using basic authentication mode.

9 - NewCredentials (used by RunAs when using the /netonly option): When you run a program by using the RUNAS command with the /Netonly parameter, RUNAS runs it as the current local login user. However, if this program needs to connect to other computers on the network, it will connect with the user specified in the RUNAS command, and Windows will record this login as type 9. If the RUNAS command does not contain the /Netonly parameter, the program will run with the specified user, but the login type in the log is 2.

- RemoteInteractive 10 (remote interaction):

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance, Windows records the login type as type 10 to distinguish it from real console login. Note that previous versions of Windows XP do not support this login type. For example, Windows2000 still records Terminal Services login as type 2.

11- CachedInteractive (cache interaction):

Windows supports a function called cache login, which is especially beneficial to mobile users. For example, you will use this function when you log in as a domain user outside your network and cannot log in to the domain controller. By default, Windows caches the credentials HASH for the last 10 interactive domain logins. If you log in as a domain user and no domain controller is available, Windows will use these HASH to verify your identity and record the login type as type 11.

New login

-

This field will indicate for which account the new login was created, that is, the account that is logged in.

-

Security ID

As mentioned earlier.

-

Account Name

The user account that performed the login. For example, this may be NT AUTHORITY\SYSTEM, which is the LocalSystem account used to start many Windows services.

-

Account domain

The domain of the user who performed the login. If it is a workgroup environment, it is displayed as the corresponding computer name. If it is a domain environment, the corresponding domain information is displayed.

Networking

-

field indicates where the remote login request came from. "Workstation name" is not always available and may be left blank in some cases.

-

Work station name

The logon source hostname. It is displayed as the client host name when logging in via remote interactive. Other login types are usually the computer name of the local machine.

-

Source network address

The IP address of the client during remote interactive login.

-

Source port range

The port used by the client during remote interactive login.

Processes

-

The information about the process that is called by the logon operation.

Detailed authentication information

-

Provides details about this particular login request. Refers to the security packet called when attempting to log in to the account. An authentication packet is a dynamic link library (DLL) that analyzes login data and decides whether to authenticate an account. The most commonly used are Kerberos, Negotiate, NTLM, and MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (also known as MSV1_0; can authenticate users in the SAM database, support pass-through authentication for accounts in trusted domains, and support sub-authentication data.

System logon log analysis

When you view system logon logs, focus on the following fields.

  • Event IDs: 4624 (successful logon) and 4625 (failed logon).
  • Logon Type: analyzes the source of logon operations based on the logon type.
  • Account Name: the name of the account used for logon operations.
  • Source Network Address: the source IP address of the logon operation.
  • Process information: the process that is called by the login operation.

Log audit policy adjustment

Relevant log audit policies are controlled by the Windows registry and can be adjusted as needed in the following ways.

  1. Click Start > Run and enter a gpedit.msc to open Group Policy Manager.
  2. Choose Computer Management > Windows Settings > Security Settings > Local Policy > Audit Policy.
  3. Adjust the corresponding review policy on the right side of the page.

Applicable scope

  • ECS