{
	"id": "ada964ad-f55e-4861-ae46-d9285abcc5e7",
	"created_at": "2026-04-29T02:22:06.070356Z",
	"updated_at": "2026-04-29T08:21:27.134435Z",
	"deleted_at": null,
	"sha1_hash": "9ae6ccf956e1b4a5fe8fd9c539df46685ca4c7cc",
	"title": "",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "2015-07-30T09:25:51Z",
	"file_modification_date": "2015-07-31T06:53:11Z",
	"file_size": 891741,
	"plain_text": "i\r\nContents\r\n1 Introduction .......................................................................................................................................... 1\r\n2 Deployment........................................................................................................................................... 1\r\n2.1 Ensuring Integrity of Event Logs ................................................................................................................... 2\r\n2.2 Environment Requirements ......................................................................................................................... 3\r\n2.3 Log Aggregation on Windows Server 2008 R2 ............................................................................................. 4\r\n2.4 Configuring Source Computer Policies ......................................................................................................... 9\r\n2.5 Disabling Windows Remote Shell ............................................................................................................... 15\r\n2.6 Firewall Modification ................................................................................................................................. 15\r\n2.7 Restricting WinRM Access .......................................................................................................................... 18\r\n2.8 Disabling WinRM and Windows Collector Service ..................................................................................... 19\r\n3 Hardening Event Collection................................................................................................................. 20\r\n3.1 WinRM Authentication Hardening Methods ............................................................................................. 20\r\n3.2 Secure Sockets Layer and WinRM .............................................................................................................. 24\r\n4 Recommended Events to Collect ........................................................................................................ 24\r\n4.1 Application Whitelisting ............................................................................................................................. 25\r\n4.2 Application Crashes .................................................................................................................................... 25\r\n4.3 System or Service Failures .......................................................................................................................... 25\r\n4.4 Windows Update Errors ............................................................................................................................. 26\r\n4.5 Windows Firewall ....................................................................................................................................... 26\r\n4.6 Clearing Event Logs .................................................................................................................................... 26\r\n4.7 Software and Service Installation ............................................................................................................... 27\r\n4.8 Account Usage ........................................................................................................................................... 27\r\n4.9 Kernel Driver Signing .................................................................................................................................. 28\r\n4.10 Group Policy Errors .................................................................................................................................... 29\r\n4.11 Windows Defender Activities ..................................................................................................................... 29\r\n4.12 Mobile Device Activities ............................................................................................................................. 30\r\n4.13 External Media Detection .......................................................................................................................... 31\r\n4.14 Printing Services ......................................................................................................................................... 32\r\n4.15 Pass the Hash Detection............................................................................................................................. 32\r\n4.16 Remote Desktop Logon Detection ............................................................................................................. 33\r\n5 Event Log Retention ............................................................................................................................ 34\r\n6 Final Recommendations...................................................................................................................... 35\r\n7 Appendix ............................................................................................................................................. 35\r\n7.1 Subscriptions .............................................................................................................................................. 35\r\n7.2 Event ID Definitions .................................................................................................................................... 37\r\n7.3 Windows Remote Management Versions.................................................................................................. 38\r\n7.4 WinRM 2.0 Configuration Settings ............................................................................................................. 40\r\n7.5 WinRM Registry Keys and Values ............................................................................................................... 43\r\n7.6 Troubleshooting ......................................................................................................................................... 44\r\n8 Works Cited ......................................................................................................................................... 48\n\nii\r\nList of Figures\r\nFigure 1: Creating a Subscription .................................................................................................................. 6\r\nFigure 2: Configuring Subscription Properties .............................................................................................. 6\r\nFigure 3: Event Delivery Optimization Configuration ................................................................................... 7\r\nFigure 4: Completed Subscription ................................................................................................................. 7\r\nFigure 5: Event Source GPO ........................................................................................................................ 10\r\nFigure 6: Enabling Windows Remote Management ................................................................................... 11\r\nFigure 7: Setting Service Startup Type ........................................................................................................ 11\r\nFigure 8: Enabling WinRM listeners ............................................................................................................ 11\r\nFigure 9: WinRM listener's IP Filter Options ............................................................................................... 11\r\nFigure 10: Enable SubscriptionManager ..................................................................................................... 12\r\nFigure 11: Configuration of SubscriptionManager ..................................................................................... 13\r\nFigure 12: GPO Inbound Firewall Rules....................................................................................................... 17\r\nFigure 13: Open Ports for WinRM ............................................................................................................... 17\r\nFigure 14: Allow Any Connection to Port .................................................................................................... 17\r\nFigure 15: Verify Firewalls are Enabled ....................................................................................................... 17\r\nFigure 16: Predefined Rule for WinRM 2.0 ................................................................................................. 18\r\nFigure 17: Adding Selective IP addresses .................................................................................................... 18\r\nFigure 18: Add IP of Event Collector ........................................................................................................... 18\r\nFigure 19: The Event Collector Firewall allowing Local subnet to Connect ................................................ 19\r\nFigure 20: Event Viewer Subscription Creation Error ................................................................................. 19\r\nFigure 21: WinRM Service Authentication Policies ..................................................................................... 21\r\nFigure 22: WinRM Client Authentication Policies ....................................................................................... 21\r\n \r\nList of Tables\r\nTable 1: Vista and above Events ................................................................................................................... 8\r\nTable 2: Whilelisting Events ........................................................................................................................ 25\r\nTable 3: Application Events ......................................................................................................................... 25\r\nTable 4: System Events ............................................................................................................................... 25\r\nTable 5: Windows Update Failed Events..................................................................................................... 26\r\nTable 6: Firewall Events .............................................................................................................................. 26\r\nTable 7: Log Activity Events ........................................................................................................................ 26\r\nTable 8: Software and Service Events ......................................................................................................... 27\r\nTable 9: Account Activity Events ................................................................................................................. 28\r\nTable 10: Kernel Driver Signing Events ....................................................................................................... 29\r\nTable 11: Group Policy Errors Events ......................................................................................................... 29\r\nTable 12: Windows Defender Activities Events .......................................................................................... 30\r\nTable 13: Mobility related Events ............................................................................................................... 31\r\nTable 14: External Media Detection Events ................................................................................................ 31\r\nTable 15: Printing Services Events .............................................................................................................. 32\r\nTable 16: Subscription XML Description ..................................................................................................... 37\r\nTable 17: WinRM Version Correlation ........................................................................................................ 39\r\nTable 18: WinRM Version Update URLs ...................................................................................................... 39\r\nTable 19: Protocol Settings ......................................................................................................................... 41\r\nTable 20: WinRM Client Configuration ....................................................................................................... 41\r\nTable 21: WinRM Service ............................................................................................................................ 42\r\nTable 22: WinRS Configuration Settings ..................................................................................................... 43\r\nTable 23: WinRM, WinRS, WSMAN and Event Forwarding Registry Values ............................................... 43\n\niii\r\nTable 24: XPath Errors based on OS Version .............................................................................................. 48\n\niv\r\nDisclaimer\r\nThis Guide is provided \"as is.\" Any express or implied warranties, including but not limited to, the\r\nimplied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event\r\nshall the United States Government be liable for any direct, indirect, incidental, special, exemplary or\r\nconsequential damages (including, but not limited to, procurement of substitute goods or services, loss\r\nof use, data or profits, or business interruption) however caused and on any theory of liability, whether\r\nin contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of\r\nthis Guide, even if advised of the possibility of such damage.\r\n \r\nThe User of this Guide agrees to hold harmless and indemnify the United States Government, its agents\r\nand employees from every claim or liability (whether in tort or in contract), including attorneys' fees,\r\ncourt costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not\r\nlimited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage\r\nto or destruction of property of User or third parties, and infringement or other violations of intellectual\r\nproperty or technical data rights.\r\n \r\nNothing in this Guide is intended to constitute an endorsement, explicit or implied, by the U.S.\r\nGovernment of any particular manufacturer's product or service.\r\n \r\nTrademark Information\r\nThis publication has not been authorized, sponsored, or otherwise approved by Microsoft Corporation.\r\n \r\nMicrosoft®, Windows®, Windows Server®, Windows Vista®, Active Directory®, Windows PowerShellTM,\r\nAppLocker®, Excel® are either registered trademarks or trademarks of Microsoft Corporation in the\r\nUnited States and other countries.\r\n \r\nThis publication has not been authorized, sponsored, or otherwise approved by Bluetooth SIG.\r\n \r\nBluetooth® is either registered trademarks or trademarks of Bluetooth SIG in the United States and\r\nother countries.\r\n \r\nThis publication has not been authorized, sponsored, or otherwise approved by USB Implementers\r\nForum, Inc.\r\n \r\nUSB® is either registered trademarks or trademarks of USB Implementers Forum, Inc. in the United\r\nStates and other countries.\n\n1\r\n1 Introduction\r\nIt is increasingly difficult to detect malicious activity, which makes it extremely important to monitor and\r\ncollect log data from as many useful sources as possible. This paper provides an introduction to\r\ncollecting important Windows workstation event logs and storing them in a central location for easier\r\nsearching and monitoring of network health.\r\n \r\nThe focus of this guidance document is to assist United States Government and Department of Defense\r\nadministrators in configuring central event log collection and recommend a basic set of events to collect\r\non an enterprise network using Group Policy.\r\n \r\nThis paper focuses on using the built-in tools already available in the Microsoft Windows operating\r\nsystem (OS). Central event log collection requires a Windows Server operating system version 2003 R2\r\nor above. Many commercially available tools exist for central event log collection. Using a Windows\r\nServer 2008 R2 or above server version is recommended. There are no additional licensing costs for\r\nusing the event log collection feature. The cost of using this feature is based on the amount of additional\r\nstorage hardware needed to support the amount of log data collected. This factor is dependent on the\r\nnumber of workstations within the local log collection network.\r\n \r\nWindows includes monitoring and logging capabilities and logs data for many activities occurring within\r\nthe operating system. The vast number of events which can be logged does not make it easy for an\r\nadministrator to identify specific important events. This document defines a recommended set of events\r\nto collect and review on a frequent basis. The recommended set of events is common to both client and\r\nserver versions of Windows. Product specific events, such as Microsoft Exchange or Internet Information\r\nServices (IIS), are not discussed in this document, but should be centrally collected and reviewed as well.\r\n \r\nThis guidance document is broken into three main parts. The first part, Deployment, focuses on\r\nconfiguring and deploying central log collection; the second part, Hardening Event Collection,\r\nconcentrates on security hardening; the last section, Recommended Events to Collect, describes\r\nrecommended events that should be collected. If a third party commercial product is already being used\r\nwithin an organization to centrally collect events, then skip ahead to the Recommended Events to\r\nCollect section. Review the recommended events and ensure they are being collected.\r\n \r\nDuring the development of this guide, testing was conducted using Windows 7 running Windows\r\nRemote Management (WinRM) 2.0. A Windows 8 client with WinRM 3.0 was tested as well. Windows\r\nServer 2008 R2 was used as the central event collection server. Configuration of Windows Server 2012\r\nshould work identically to Windows Server 2008 R2, but was not tested for this guide.\r\n2 Deployment\r\nThe Windows Collector service can centrally collect specific events from domain and non-domain\r\ncomputers for viewing on a single computer. The Event Forwarding feature of the Windows Collector\r\nService can retrieve or receive events from remote computers. Event Forwarding can operate as\r\nCollector-Initiated (pull) or Source-Initiated (push), respectively. The server archiving the events is a\n\n2\r\ncollector and the remote computer, where events are collected from, is the source. A Source-Initiated\r\nsubscription has an advantage of not requiring the collector to know all the computer names of the\r\nremote machines connecting to the service a priori, whereas a Collector-Initiated subscription requires\r\nthe aforementioned information, which is harder to maintain. The Windows Collector service uses\r\nMicrosoft’s implementation of Web Services-Management (WS-Management, WS-Man) Protocol to\r\ncommunicate between sources and collectors. [1] This guide will discuss configuring event forwarding in\r\ndomain environments only.\r\n2.1 Ensuring Integrity of Event Logs\r\nPrior to installing and using the WinRM feature, some precautionary measures should be implemented.\r\nAlthough no software can guarantee an attacker could never modify event logs or prevent the recording\r\nof event data, an Access Control List (ACL) can be used to protect Windows events logs against\r\naccidental tampering.\r\n \r\nThe Windows operating system uses permissions to ensure that certain log files are not modified by a\r\nnormal user, members of an unprivileged group or members of a privileged group. The Defense\r\nInformation Systems Agency (DISA) Security Technical Implementation Guides (STIG) recommends that\r\nan Information Assurance Officer (IAO) create an auditor’s group and grant members of the group full\r\npermissions. If there is no IAO, it is still advised for a system administrator to create an auditor’s group.\r\nThe Administrators group’s privileges must be reduced from Full to Read and Execute permissions for\r\nthe Application, System and Security log files. [2] [3] This single defense can be circumvented in multiple\r\nways so; a defense in depth approach should be taken.\r\n \r\nThis guide does not discuss site specific auditor’s group for WinRM purposes beyond this section. The\r\nuse of WinRM does not require or involve an auditor’s group. The auditor’s group is used to regulate\r\nwho is permitted to operate on an event log file. Windows Vista and later created an Event Log Readers\r\ngroup whose purpose is to regulate access to the local event logs remotely. [16] [4]\r\n \r\nSeveral domain policies can be enabled to enforce restrictions of users and groups accessing event logs\r\nlocally. DISA STIGs recommend enabling the Manage auditing and security log policy and configuring\r\nthe policy for the auditor’s group. [2] [3] The policy is located under Computer Configuration \u003e Policies \u003e\r\nWindows Settings \u003e Local Policies \u003e User Rights Assignment. This policy creates a whitelist of users or\r\ngroups who can access the audit log (security log). Enabling this policy does not affect WinRM\r\noperations.\r\n \r\nA policy, named Generate security audits, can be used to create a whitelist of users or groups permitted\r\nto write to the audit log. The policy is located under Computer Configuration \u003e Policies \u003e Windows\r\nSettings \u003e Security Settings \u003e Local Policies \u003e User Rights Assignment. Only allow Local Service and\r\nNetwork Service as these are the default values of the policy. [2][3]\r\n \r\n \r\n1\r\n http://technet.microsoft.com/en-us/library/cc774957(v=ws.10).aspx\r\n2\r\n DISA STIG: Windows Server 2008 R2 Member Server Security Technical Implementation Guide Version 1. Group ID (Vulid): V-1077, V-1137, V-26496, V-26489\r\n3\r\n DISA STIG: Windows 7 Security Technical Implementation Guide Version 1. Group ID (Vulid): V-1077, V-1137, V-26496, V-26489 4\r\n http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx\n\n3\r\nAdministrators can use the Enhanced Mitigation Experience Toolkit (EMET) to heighten the security\r\ndefense of machines and applications used in a network. [5] EMET provides the ability to enable and\r\nenforce specific enhanced security features for the operating system and applications. The WinRM\r\nservice is hosted by svchost.exe (service host). The service host executable should have all security\r\nfeatures enabled for an application. Enabling EMET for svchost.exe on Windows 7 does not prevent\r\nWinRM from working correctly. Using EMET on a default installation of Windows will not prevent the\r\noperating system from performing specific operations. However, site-specific software needs to be first\r\ntested with EMET to ensure compatibility.\r\n \r\nRecording users or groups accessing event log files (.evtx) is critical and aids in quickly identifying who\r\ntouched the file. The logging of file access on event log files is not enabled by default and requires\r\nadditional setup. Audit File System policy must be enabled and have Success selected to provide useful\r\ninformation. This will allow logging of file system events. The event log file must include the users or\r\ngroups that will be audited (e.g., Everyone or Domain Users group) in the Auditing tab of the Advanced\r\noption under Security (available in the properties options of the file). Auditing critical files and the\r\noperations performed on them increases the value of detecting tampering of the log file.\r\n \r\nUsing a dedicated server whose primary role is an event collector is recommended. There should be no\r\nadditional roles tasked to the event collector. Deploying an event collector on a new and clean\r\ndedicated system helps protect it from having been previously compromised or infected with malware.\r\n2.2 Environment Requirements\r\nWindows Remote Management is available in multiple versions. The recommended minimal version of\r\nWinRM is 2.0. WinRM 2.0 is installed by default with Windows 7 and Windows Server 2008 R2.\r\nAdditional updates are needed for Windows XP SP3 and Windows Vista to use WinRM 2.0. This guide\r\nfocuses solely on Windows 7 and above.\r\n \r\nWinRM 2.0 is part of the Windows Management Framework core package. The KB968930 [6] update\r\ninstalls PowerShell 2.0 along with WinRM 2.0. This update requires the machine to have .NET\r\nFramework 2.0 SP1 or later to install PowerShell. The complete list of applicable Windows operating\r\nsystems versions and the download location for the updates can be found in the Windows Remote\r\nManagement Versions section of the appendix. WinRM 3.0 is the latest current version, as of this\r\nwriting, and is only supported on Windows 7 SP1 and above, Windows Server 2008 R2 SP1, Windows\r\nServer 2008 SP2. [7]\r\n \r\nThis document provides guidance for an environment using three roles in the domain: the domain\r\ncontroller, the event collector, and the event sources. All policies configured through Active Directory\r\nare restricted to computer groups, rather than the default Authenticated Users group, for Group Policy\r\nObject (GPO) security filtering. The domain controller, collector, and each source in the domain should\r\nhave the latest updates from Microsoft.\r\n \r\n \r\n5\r\n https://www.microsoft.com/en-us/download/details.aspx?id=29851\r\n6\r\n http://support.microsoft.com/kb/KB968930 7\r\n http://www.microsoft.com/en-us/download/details.aspx?id=34595\n\n4\r\n2.3 Log Aggregation on Windows Server 2008 R2\r\nA single dedicated server should have the role of event collector in a local network. Isolation of the\r\nevent collector avoids confusion, frustration of troubleshooting, and security related concerns. Source-Initiated subscriptions can be configured for clients to be in the same or different domain of the\r\ncollector. The focus of this guidance document is to use Source-Initiated subscriptions, where the\r\ncollector and sources are in the same domain, and configuring of the event collector is completed\r\nlocally. Event collector capabilities can be configured via the GPO as well. Utilizing GPO configuration for\r\nthe event collector will result in the Windows Event Collector service not being properly configured for\r\nusing subscriptions. Locally configuring the event collector is recommended. The proceeding sections\r\ncover local configuration of WinRM and the Windows Event Collection service on the collector.\r\n2.3.1 Locally Configuring Collector Settings\r\nThe event collector system needs to be configured to automatically start the Windows Event Collector\r\nand Windows Remote Management services. Enabling these services sets the startup type to Automatic\r\n(Delay Start). The services will be started after other auto-start services are started plus a short delay. [8]\r\nThe Windows Remote Management and Windows Event Collector services are automatically configured\r\nwhen using the quickconfig option (discussed in next section). Configuration of the collector can be\r\ncompleted by a domain administrator or a built-in administrator account. The recommendation is to use\r\na domain administrator account for configuration purposes only. It is required that the local\r\nadministrator and the domain administrator do not have a blank password for WinRM configuration.\r\n2.3.1.1 Enabling Windows Remote Management\r\nThe WinRM command-line tool provides an option to automatically configure WinRM. The quick\r\nconfigure (qc) option starts the WinRM service, configures the service to be Delay-Start, creates a\r\nlistener using any IP address, and enables a firewall exception for WinRM. [9] The port used by WinRM\r\ndepends on the installed version of WinRM. Port 5985 is used by WinRM 2.0 and above whereas port 80\r\nis used by versions of WinRM prior to 2.0. To configure WinRM, open a command console with\r\nadministrator privileges and type:\r\n \r\nwinrm qc\r\n \r\nEnter y to have the service status changed to Delay-Start. As an alternative option, all prompts can be\r\nsuppressed by supplying the –q (quiet) option. Enter y to the create a listener prompt.\r\n \r\nAn Access Denied error may appear when attempting to use quickconfig. A possible reason for this error\r\nis the account executing the WinRM command does not have the proper permissions. If the account is a\r\nmember of the local administrator group, then User Account Control (UAC) filtering prevents access to\r\nthe WinRM service. [10] An account with administrator privileges is required. Log in as a Domain\r\nAdministrator account or a built-in administrator and repeat the quickconfig command.\r\n2.3.1.2 Enabling Windows Event Collector\r\nThe Windows Event Collector service offers a quick configure (qc) option similar to WinRM’s quick\r\nconfigure option. Windows Event Collector service’s quick configure option sets the service startup type\r\n \r\n8\r\n http://msdn.microsoft.com/en-us/library/windows/desktop/ms685155(v=vs.85).aspx\r\n9\r\n winrm qc -?\r\n10 http://msdn.microsoft.com/en-us/library/aa384423.aspx\n\n5\r\nto Delay-Start and enables the ForwardedEvents channel. [11] The quick configure option is only available\r\nfor Windows Vista and above. To configure the Windows Event Collector Service:\r\n \r\nwecutil qc\r\n \r\nEnter y to have the service started and the status changed to Delay-Start. Similar to the WinRM\r\ncommand line, all prompts can be suppressed by the /q:true option.\r\n2.3.1.3 Creating Event Subscriptions\r\nSubscriptions are used to organize event collection and where the events come from. An administrator\r\ncan have custom subscriptions to tailor event logs to easily identify interesting events. A custom\r\nsubscription can be created by using the Graphical User Interface (GUI) or from the command line. This\r\nsection will demonstrate creating an example event subscription to collect events from clients’\r\nApplication and System logs. It is not recommended to deploy this example on a production server as a\r\nlarge amount of unimportant will be captured. Custom subscriptions provided in this guidance\r\ndocument are discussed in the next section and in the appendix.\r\n \r\nThe event viewer, shown in Figure 1, allows the configuration of a subscription. Subscriptions can be\r\nconfigured to specify the destination of received events, the computer groups being collected, the\r\nevent’s ID, and the frequency of event collection. Each subscription can be configured in the\r\nSubscription Properties window shown in Figure 2. The Event Viewer console should be opened with\r\nadministrator privileges. To create a subscription:\r\n1. Open Event Viewer (eventvwr.exe)\r\n2. Select Create Subscription… from the Actions panel\r\n3. Provide a Subscription name\r\n4. Select the Source computer initiated option\r\n5. Select Computer Groups… button\r\no Click the Add Domain Computers… button and enter the group name EventSource\r\no Click Check Names and verify the group name is correct\r\no Click OK\r\n6. Click OK\r\n \r\n \r\n11 wecutil qc -?\n\n6\r\n Figure 1: Creating a Subscription\r\n Figure 2: Configuring Subscription Properties\r\n \r\n \r\nIf an error message box appears stating “the type initializer for ‘AdvanceSettings’ threw an exception”,\r\nthen the current account does not have the correct permissions.\r\n \r\nCollected Events are stored at a local predefined log location under the Destination log drop-down list.\r\nThe default is Forwarded Events.\r\n \r\nIn the Query Filter window, displayed by clicking the Select Events button, a variety of events can be\r\nchosen for collection based on the event level, origination of log, and event source. Once the setup of\r\nfiltering events is completed, the XML view of the selected events can be viewed in the XML tab. It is\r\npossible to edit the XML manually by selecting Edit query manually checkbox.\r\n \r\n7. Click the Select Events… button\r\n8. Select Event Level options and select all levels\r\n9. Select By Log\r\n10. From the drop-down list select…\r\na. Windows Logs \u003e Application\r\nb. Windows Logs \u003e System\r\n11. Click the OK button\r\n \r\nThe remaining configuration options do not need to be customized as the default setting will collect all\r\nevents, keywords, task category, and from all users and computers. Any fine-grained customizations to\r\nspecify the event to collect are discussed in the next section.\r\n \r\nThe configuration of advanced subscription settings sets the frequency of events being received\r\n(forwarded).\r\n \r\n12. Click the Advanced… button\r\n13. Select Normal\r\no Leave the protocol drop-down list set to HTTP\r\n14. Click the OK button\n\n7\r\nThe Event Delivery Optimization options shown in Figure 3 permits the collection of event logs in 15\r\nminutes (Normal), 6 hours (Minimize Bandwidth), or 30 seconds intervals (Minimize Latency). [12] A\r\ncustom interval can be set using the wecutil command line utility.\r\n \r\n Figure 3: Event Delivery Optimization\r\nConfiguration\r\n \r\n \r\n \r\n \r\n \r\n Figure 4: Completed Subscription\r\n \r\n2.3.1.3.1 Custom Subscriptions\r\nCreating subscriptions using the graphical user interface does not allow for complete customization. It\r\nmay be desirable to customize the frequency of event delivery and the batch amount of a subscription\r\n(i.e., number of events to deliver per delivery). A detailed description of the subscription schema is\r\nfound in the Subscription section of the appendix.\r\n \r\nCustomization of subscriptions depends on the administrator’s needs and requirements. Several custom\r\nsubscriptions have been created and provided in the Subscriptions section of the appendix. These\r\nsubscriptions collect events that an enterprise may be interested in collecting from domain computers.\r\nThe following tables summarize the event IDs and the category they represent for each recommended\r\nsubscriptions. The Recommended Events to Collect section discusses these events in more detail.\r\n \r\nEach subscription focuses on varies of categories ranging from account activity, application and\r\ncomputer failures to security notifications and wireless connections.\r\n \r\n \r\n \r\n12 http://technet.microsoft.com/en-us/library/cc749167.aspx\n\n8\r\nWindows Vista and above Events\r\nGeneral Event Descriptions General Event IDs\r\nAccount and Group Activities 4624, 4625, 4648, 4728, 4732, 4634, 4735,4740, 4756\r\nApplication Crashes and Hangs 1000 and 1002\r\nWindows Error Reporting 1001\r\nBlue Screen of Death (BSOD) 1001\r\nWindows Defender Errors 1005, 1006, 1008, 1010, 2001, 2003, 2004, 3002, 5008\r\nWindows Integrity Errors 3001, 3002, 3003, 3004, 3010 and 3023\r\nEMET Crash Logs 1 and 2\r\nWindows Firewall Logs 2004, 2005, 2006, 2009, 2033\r\nMSI Packages Installed 1022 and 1033\r\nWindows Update Installed 2 and 19\r\nWindows Service Manager Errors 7022, 7023, 7024, 7026, 7031, 7032, 7034\r\nGroup Policy Errors 1125, 1127, 1129\r\nAppLocker and SRP Logs 865, 866, 867, 868, 882, 8003, 8004, 8006, 8007\r\nWindows Update Errors 20, 24, 25, 31, 34, 35\r\nHotpatching Error 1009\r\nKernel Driver and Kernel Driver Signing Errors 5038, 6281, 219\r\nLog Clearing 104 and 1102\r\nKernel Filter Driver 6\r\nWindows Service Installed 7045\r\nProgram Inventory 800, 903, 904, 905, 906, 907, 908\r\nWireless Activities 8000, 8001, 8002, 8003, 8011, 10000, 10001, 11000,\r\n11001, 11002, 11004, 11005, 11006, 11010, 12011,\r\n12012, 12013\r\nUSB Activities 43, 400, 410\r\nPrinting Activities 307\r\nTable 1: Vista and above Events\r\n \r\n2.3.1.4 Creating Custom Views\r\nLarge amounts of event data are difficult to organize and view in a meaningful way. The Event Viewer\r\nallows users to create custom views that organize event data based on a custom filter. Each view can be\r\nused to represent a subscription to help identify events collected using the subscription. Custom Views\r\nwere introduced in Windows Vista. [13]\r\n \r\nCustom Views can be created on the event collector where all event data is forwarded. To create a\r\ncustom view:\r\n1. Open Event Viewer and select Custom Views in the left panel\r\n2. Right-click and select Create Custom View…\r\n3. From the drop-down list titled Logged, select a time (e.g., Last 7 days)\r\na. If a granular time range is needed, select Custom range … from the Logged drop-down\r\nlist\r\n4. Select an appropriate Event level\r\n5. Select By log and select Forwarded Events from the Event logs drop-down list\r\n6. Enter Event ID(s) in the first text area\r\n7. Click OK\r\n \r\n13 http://technet.microsoft.com/en-us/magazine/2006.11.eventmanagement.aspx\n\n9\r\n8. In the Save Filter to Custom View, provide a custom view name representing the data being\r\nfiltered\r\nThis creates a custom view under Custom Views in the left panel of the Event Viewer. The newly created\r\ncustom view will not be neatly organized under Custom Views. Custom views can be organized by\r\nnavigating to %ProgramData%\\Microsoft\\Event Viewer\\Views and creating a new sub-directory. This\r\nnewly created directory should have a meaningful name such as “Last 24 hours” to indicate the time\r\nperiod of the events filtered. Creation of the sub-directory requires a privileged account.\r\n \r\nTo display the new directory when it does not appear after creation under Custom Views:\r\n1. Select Custom Views in the left panel of the Event Viewer\r\n2. Select Refresh in the right panel\r\n \r\nUsing a directory named “Last 24 hours,” all custom view XML files within the directory should filter\r\nevents on the condition that the event occurred within the last 24 hours.\r\n \r\nAn example of a custom view may appear as the following:\r\n \r\n\u003cViewerConfig\u003e\r\n \u003cQueryConfig\u003e\u003cQueryParams\u003e\r\n \u003cSimple\u003e\r\n \u003cBySource\u003eFalse\u003c/BySource\u003e\r\n \u003cChannel\u003eForwardedEvents\u003c/Channel\u003e\r\n \u003cLevel\u003e2\u003c/Level\u003e\r\n \u003cRelativeTimeInfo\u003e1\u003c/RelativeTimeInfo\u003e\r\n \u003cEventID\u003e1000\u003c/EventID\u003e\r\n \u003c/Simple\u003e\r\n \u003c/QueryParams\u003e\u003cQueryNode\u003e\r\n \u003cName\u003eAppCrash\u003c/Name\u003e\u003cQueryList\u003e\u003cQuery Id=\"0\"\u003e\r\n \u003cSelect Path=ForwardedEvents\"\u003e*[System[(Level=2) and (EventID=1000) and TimeCreated[timediff(@SystemTime) \u0026lt;= 3600000]]]\u003c/Select\u003e\r\n \u003c/Query\u003e\u003c/QueryList\u003e\u003c/QueryNode\u003e\r\n \u003c/QueryConfig\u003e\r\n\u003c/Viewerconfig\u003e\r\n \r\nThe preceding XML looks for events containing EventID 1000 at the Error level (Level 2) that occurred in\r\nthe last hour (3600000 milliseconds).\r\n \r\nThe preceding steps focused on automatically creating an XPath query to select event data. This does\r\nnot allow customization of the XPath queries. Manual XPath queries can be entered in the XML tab of\r\nthe Create Custom View dialog.\r\n \r\nAn alternative option for event filtering is PowerShell’s Get-WinEvent and Get-EventLog Cmdlets. These\r\nCmdlets have the added benefit of permitting more granular filtering via other PowerShell Cmdlets.\r\n2.4 Configuring Source Computer Policies\r\nEvent forwarding policies can be applied to Windows 7 and above sources with no local configuration.\r\nThe policies discussed in this section will permit reading of the default log files including the Security log\r\nfor delivering events to the collector.\r\n2.4.1 Creating Source Group Policy Objects\r\nFollowing the configuration of the collector it should be in a waiting state to receive events from the\r\nsources. The sources are configured similarly with the exception that the Windows Event Collector\r\nservice does not need to be started and each source needs to be able to read their own event logs. The\r\nsources, client computers, will be configured using GP to enable event forwarding. The demonstration\r\nbelow focuses on forwarding events from Domain Computers only.\n\n10\r\n \r\nEach source should be part of a new group and GPO named EventSource where the EventSource GPO\r\napplies to the EventSource and Domain Users groups. The EventSource GPO should have both Enforced\r\nand Link Enable settings applied. The members of the EventSource group are domain computer objects.\r\nIf the machine was powered on when added to the group, then the newly added group member\r\nrequires a reboot for it to be notified of its membership.\r\n \r\n \r\n Figure 5: Event Source GPO\r\n \r\n2.4.2 Enabling Windows Remote Management Policy\r\nUnlike the approaches used for configuring the collector, WinRM and Event Forwarding will be managed\r\nvia GP thus not requiring the manual execution of the quick configure option. WinRM can be started\r\nusing a System Service policy. The only issue that may arise is enabling the predefined WinRM firewall\r\nrule. Previously, the quick configure option automatically enabled this firewall rule. Active Directory\r\nprovides predefined WinRM firewall rules to avoid executing the WinRM command manually on all\r\nsource computers. Configuration of firewall rules is discussed later.\r\n \r\nThe WinRM service can be found by navigating to Computer Configuration \u003e Policies \u003e Windows\r\nSettings \u003e Security Settings \u003e System Services \u003e Windows Remote Management (WS-Management) in\r\nGroup Policy Management Editor.\r\n \r\nTo set the service to automatic:\r\n1. Right-click the Windows Remote Management (WS-Management) service and select Properties\r\n2. Select the Define this policy setting checkbox\r\n3. Select the Automatic option\r\n4. Click the OK button\n\n11\r\n Figure 6: Enabling Windows Remote Management\r\n Figure 7: Setting Service Startup Type\r\n \r\n \r\nNavigate to the WinRM policies located at Computer Configuration \u003e Policies \u003e Administrative\r\nTemplates \u003e Windows Components \u003e Windows Remote Management \u003e WinRM Service in the Group\r\nPolicy Management Editor.\r\n \r\nWinRM requires listeners to be available for inbound connections. The Allow automatic configuration\r\nof listeners policy shown in Figure 9 instructs WinRM to create listeners on port 5985 for WinRM 2.0\r\nand above.\r\n \r\nTo enable WinRM listeners:\r\n1. Set the Allow automatic configuration of listeners policy to Enabled\r\n2. Set both IPv4 and IPv6 filter value to *\r\n \r\n Figure 8: Enabling WinRM listeners\r\n \r\n Figure 9: WinRM listener's IP Filter Options\r\n \r\nWithin the Allow automatic configurations of listeners dialog, the IPv4/IPv6 filter values should be set\r\nto *. This ensures that WinRM starts running and listens on the “any” IP address (IPv4 is 0.0.0.0 and IPv6\r\nis “::”) for both protocols. The IPv6 filter is not required to enable a WinRM listener. Enabling an IPv6\n\n12\r\nlistener is an administrative decision. The WinRM service only listens on an IPv4 address when no IPv6\r\naddress (or *) is supplied for the filter.\r\n2.4.3 Enabling Event Forwarding Policy\r\nThe source needs to be configured to forward events to the targeted subscription manager. The\r\nsubscription manager (collector) hosts all the subscriptions created on the collector. The source needs\r\nto contact the manager to retrieve the list of subscriptions. These subscriptions specify the events to\r\nforward. Once the source gathers all the events pertaining to these subscriptions, the events will be\r\ndelivered to the collector.\r\n \r\nThe Configure the server address, refresh interval, and issuer certificate authority of a target policy\r\nsets the configuration settings on how to communicate with the collector. This policy sets the collector’s\r\ninternet protocol (IP) address, how often to send events to the collector, and a thumbprint of the\r\nclient’s certificate if using HTTPS. This policy must be enabled to forward events.\r\n \r\nEvent Forwarding is the main component for enabling event monitoring in an enterprise. Event\r\nForwarding policies can be located by navigating to Computer Configuration \u003e Policies \u003e Administrative\r\nTemplates \u003e Windows Components \u003e Event Forwarding.\r\n \r\nTo enable Event Forwarding:\r\n1. Set the Configure the server address, refresh interval, and issuer certificate authority of a\r\ntarget Subscription Manager policy to Enabled\r\n2. Click the Show… button\r\n \r\n Figure 10: Enable SubscriptionManager\r\n \r\nThe SubscriptionManagers dialog has several options that can be set to configure event forwarding. The\r\nonly requirement of this policy is to set the Server option. Any additional options can be omitted. The\r\nsyntax of SubscriptionManagers value is:\r\n \r\nServer=[http|https]://FQDN[:PORT][/wsman/SubscriptionManager/WEC[,Refresh=SECONDS][\r\n,IssuerCA=THUMBPRINT]]\r\n \r\nEach option for the SubscriptionManager is a comma delimited string containing the following parts:\n\n13\r\n \r\nx Server: FQDN or Hostname\r\nx Refresh: The number of seconds to send events to the server[14]\r\nx IssuerCA: Thumbprint of the client authentication certificate[14]\r\n \r\nThe last option, IssuerCA, is used for forwarding events between domain and non-domain event\r\ncollector and sources, respectively. This option can be ignored for our intended purposes. Figure 11\r\nshows an example Subscription Manager value. The refresh interval should be determined by\r\nadministrative requirements. Using the default refresh interval is recommended.\r\n \r\nIn a network solely using WinRM 2.0, the Server option needs to specify port 5985, otherwise it will\r\nsend traffic to port 80.\r\n \r\nServer=http://FQDN:5985/wsman/SubscriptionManager/WEC\r\n \r\nWhen both WinRM 2.0 and WinRM 1.1 are intermixed and the collector has enabled compatibility\r\nmode, remove the explicit port from the Subscription Manager Uniform Resource Locator (URL).\r\n \r\nServer=http://FQDN/wsman/SubscriptionManager/WEC\r\n \r\n Figure 11: Configuration of SubscriptionManager\r\n \r\nOnce the SubscriptionManager value has been set, click OK.\r\n \r\n \r\n14 http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx\n\n14\r\nWinRM and the Server Option\r\n \r\nWinRM will attempt to connect to the collector on port 80 regardless of version. If the URL specified in\r\nthe Server option uses HTTP and has omitted the port value 5985, WinRM will communicate over port\r\n80. The collector may not accept WinRM client connections on port 80 if the latest WinRM versions are\r\nused. A compatibility listener can be configured to tell WinRM to additionally listen on port 80. Enabling\r\na compatibility listener on the collector is accomplished by using the following command:\r\n \r\nwinrm set winrm/config/service @{EnableCompatibilityHttpListener=“true”}\r\n \r\nThe compatibility listener binds WinRM to a second port (80) and accepts traffic on this port. Once a\r\nWinRM client has established a connection with the collector, all ensuing traffic will be redirected to\r\nport 5985. EnableCompatibilityHttpListener intended purpose is to permit versions of WinRM prior to\r\n2.0 to communicate with new versions of WinRM. A caveat to enabling this option is that an additional\r\nport will be open on the server, which is a potential security concern. Explicitly specify port 5895 in the\r\nURL of the Server option when configuring the subscription manager for sources. This avoids the\r\ncreation of an additional port and firewall rules.\r\n \r\nWindows 7 (and above) sources are not permitted to read event logs (e.g., Application, Security, Setup\r\nand System) for event forwarding. [15] The sources need to add the NETWORK SERVICE account to the\r\nEvent Log Readers group under Restricted Groups in the EventSource GPO. The members of the Event\r\nLog Readers group are permitted to read event logs. WinRM runs with Network Service permissions on\r\nWindows 7 and above. Restricted groups can be configured by navigating to Computer Configuration \u003e\r\nPolicies \u003e Windows Settings \u003e Security Settings \u003e Restricted Groups in Group Policy Management.\r\n \r\nTo add the Event Log Readers to the Restricted Group Policy:\r\n1. Right-click Restricted Groups\r\n2. Select Add Group…\r\n3. In the Add Group dialog box, click the Browse… button\r\n4. Enter Event Log Readers in the text area of the Select Groups dialog box\r\n5. Click Check Names\r\n6. Once Event Log Readers appears, click OK\r\n \r\nTo add the Network Service account to the Event Log Readers group:\r\n1. Right-click Event Log Readers group and select Properties\r\n2. In Event Log Readers Properties, select Add… in the Members of this group section\r\n3. Select Browse… and enter NETWORK SERVICE in the text area\r\n4. Select Check Names\r\n5. Once NETWORK SERVICE appears, click OK\r\n6. Click OK in Event Log Readers Properties\r\n \r\nThe Network Service account can be added locally as an alternative option. In Computer Management\r\n(compmgmt.msc), add Network Service to the Event Log Readers group. The Network Service account\r\nis not part of the Event Log Readers group in Computer Management, but can be added by navigating to\r\n \r\n15 http://blogs.msdn.com/b/wmi/archive/2009/04/06/forwarding-security-related-events-from-xp-win2k3-vista-using-winrm-wsman-event-forwarding.aspx\n\n15\r\nComputer Management \u003e Local and User groups \u003e Groups \u003e Event Log Readers and adding this\r\naccount.\r\n \r\nThe Event Log Readers group will be shown in its SID format (S-1-5-32-573), rather than as an easily\r\nreadable name, until a Windows Server 2008 or Windows 2008 R2 Domain controller has been made the\r\nPrimary Domain Controller Operations Master role holder of the domain. [16]\r\n \r\nFor additional Organizational Units (OUs) that contain user workstations, previously created GPOs can\r\nbe applied against those OUs.\r\n2.5 Disabling Windows Remote Shell\r\nWhen WinRM completes execution of quickconfig, Windows Remote Shell (WinRS) will be enabled by\r\ndefault and will accept connections. This poses a security risk as there are attacks that leverage this\r\nfeature. WinRS should be disabled for all servers and clients in the domain. If the Windows Remote Shell\r\nservice is needed for a task (e.g., PowerShell’s PSSession-family Cmdlets), temporarily enable it and then\r\ndisable it when the task is completed. The registry keys for WinRS can be found in the WinRM Registry\r\nKeys and Values section of the Appendix. WinRS can be disabled for domains via Group Policy. This\r\npolicy enforcement applies for the collector and sources in the domain.\r\n \r\nWinRS policies can be found by navigating to Computer Configuration \u003e Policies \u003e Administrative\r\nTemplates \u003e Windows Components \u003e Windows Remote Shell.\r\n \r\nTo disable WinRS:\r\n1. Set the Allow Remote Shell Access policy to Disabled\r\n2. Click OK\r\n \r\nWinRS can also be disabled by using the command line:\r\n \r\nwinrm set winrm/config/winrs @{AllowRemoteShellAccess=”false”}\r\n \r\n2.6 Firewall Modification\r\nEvent collection aids in identifying problems from a remote computer using WinRM. The communication\r\nchannel opens an additional attack vector on each of the sources and collectors. The purpose of event\r\nforwarding is solely to communicate with the collector(s). An attacker may attempt to attack or perform\r\nreconnaissance of other machines laterally with WinRM services. The isolation of sources and collectors\r\nlimits an attacker from using this service as a target.\r\n \r\nCertain environments may enforce firewall rule merging restrictions for servers. Enforcing these\r\nrestrictions will hinder the configuration of locally applied WinRM firewall rule exceptions. The removal\r\nof rule merging restrictions is encouraged for the collection server.\r\n \r\nWinRM should have configured Windows Firewall to allow WinRM connections when using quickconfig.\r\nThe EventSource GPO firewall policies should be enabled for all profiles. This section serves as a list of\r\nalternate methods to enable WinRM firewall exceptions. Windows Firewall with Advanced Security\r\npolicy should be enabled for all profiles.\r\n \r\n16 http://support.microsoft.com/kb/243330\n\n16\r\n2.6.1 Collector Firewall\r\nIn Windows Server 2008 R2, Windows Firewall with Advanced Security has two predefined firewall rules\r\nthat can be enabled from the GUI or the command line. The first predefined rule, Windows Remote\r\nManagement (HTTP-In), allows network traffic to the local port 5895 on the collector for machines\r\nrunning WinRM 2.0. The second predefined rule, Windows Remote Management – Compatibility\r\n(HTTP-In), allows traffic from versions of WinRM prior to 2.0 to communicate with the collector on port\r\n80. The use of the WinRM compatibility firewall rule should be enabled if a compatibility listener is\r\nconfigured on the collector. [17]\r\n \r\nWinRM firewall rule must be applied to Domain, Private, and Public profiles. Any modification of this\r\nsetting (i.e., selecting Domain only) will result in an error with subscriptions running and sources\r\ncommunicating with the subscription manager.\r\n2.6.1.1 Graphical User Interface\r\nWindows Firewall with Advanced Security can be managed using two available options: local or group\r\npolicies. These graphical options are not required since configuration of the firewall was performed\r\nduring the WinRM setup and can be used to verify the WinRM firewall rule’s status.\r\n2.6.1.1.1 Windows Firewall with Advanced Security Group Policy\r\nThe creation of a firewall policy for WinRM can be set using a predefined rule. Expand Computer\r\nConfiguration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e Windows Firewall with Advanced\r\nSecurity \u003e Windows Firewall with Advanced Security – ADsPath \u003e Inbound Rules.\r\n \r\nTo enable WinRM firewall rules:\r\n1. Right-click on Inbound Rules and select New Rule…\r\n2. Select Windows Remote Management from the Predefined drop-down list\r\n3. Click the Next button\r\n4. Select Windows Remote Management – Compatibility Mode (HTTP-In) or Windows Remote\r\nManagement (HTTP-In) depending on environment setup. Select both rules if the network is\r\nintermixed with WinRM 2.0 and earlier versions.\r\n5. Click the Next button\r\n6. Select Allow the connection\r\n7. Click Finish\r\n \r\nThe predefined WinRM rule permits either WinRM 2.0 traffic (port 5985) or compatibility mode traffic\r\n(port 80). The option to enable the WinRM rule in compatibility mode or not depends if the\r\nenvironment is consist of WinRM 2.0 and earlier versions.\r\n \r\n17 See the WinRM and Server Option note of the Enabling Event Forwarding Policy section for more information.\n\n17\r\n Figure 12: GPO Inbound Firewall Rules Figure 13: Open Ports for WinRM\r\n \r\nThe last configuration step for creating the new rule is allowing the connection. Windows Firewall will\r\nenable these rules for all profiles and accept traffic from any IP (remote and local) by default.\r\n \r\n Figure 14: Allow Any Connection to Port\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Figure 15: Verify Firewalls are Enabled\r\n \r\n2.6.1.2 Configuring the Firewall using the Command Line\r\nThe benefit of executing a firewall command allows the user to avoid navigating through the GUI to find\r\nthe desired configuration options. The following commands demonstrate how to enable WinRM firewall\r\nrules for compatibility mode respectively:\r\n \r\nnetsh advfirewall firewall set rule name=”Windows Remote Management (HTTP-In)” new\r\nenable=yes\r\n \r\nIf an error message “A specific value is not valid” appears, verify the rule’s name. The alternative\r\napproach is to enter the netsh context, followed by the advfirewall context, and the firewall context. In\r\nthe firewall context, repeat the command for the specific rule.\r\n2.6.2 WinRM 2.0 Source Firewall\r\nWhen WinRM is executed with the quickconfig option, it creates a default firewall rule that allows\r\ninbound WinRM traffic. The firewall rule automatically sets the required port (80 or 5985) depending on\r\nthe WinRM version. Configuring WinRM locally on sources is discouraged as using Group Policy is more\r\nmanageable.\n\n18\r\nSources using WinRM 2.0 require that port 5985 is allowed through the firewall. The predefined rule\r\nWindows Remote Management (HTTP-In) should only be enabled on a computer using WinRM 2.0. The\r\nsteps for enabling the firewall rule via GPO for the sources can be done by following the Windows\r\nFirewall with Advanced Security Group Policy section. This rule should be applied to Windows Vista (if\r\nupgraded to WinRM 2.0) and beyond as it uses Windows Firewall with Advanced Security. The firewall\r\nrule should be applied to Domain profiles only.\r\n \r\n Figure 16: Predefined Rule for WinRM 2.0\r\n \r\nOnce the WinRM firewall rule is enabled, update the group policy changes using gpupdate. Events\r\nshould be populating the collector’s log. If no events are received, then troubleshooting techniques are\r\nprovided in the Troubleshooting section.\r\n2.7 Restricting WinRM Access\r\nThe default rules permit connections from any IP address to the specific WinRM port. An attacker who\r\nhas presence on a network can possibly move laterally between machines and servers by accessing\r\nWinRM services. Mitigation to this attack is customizing the predefined rules to only allow connections\r\nbetween collectors and sources. A policy for specifying the IP scope for both source and collector\r\nmachine is discussed in this section. These configurations apply to the WinRM predefined firewall rules\r\nunder Computer Configuration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e Windows Firewall\r\nwith Advanced Security \u003e Inbound Rules.\r\n2.7.1 Source Firewall Modifications\r\nTo enable WinRM firewall rules on the sources:\r\n1. Right-click the predefined WinRM firewall rule and select Properties\r\n2. Navigate to the Scope tab\r\n3. In the Remote IP Address area and select the These IP addresses option\r\n4. Click the Add… button\r\n5. Select the This IP address or subnet option and enter the IP address of the collector\r\n6. Click OK\r\n \r\n Figure 17: Adding Selective IP addresses\r\n \r\n \r\n Figure 18: Add IP of Event Collector\n\n19\r\nConfiguring a whitelist, which accepts WinRM traffic only from the collector, is recommended.\r\n2.7.2 Collector Firewall Modification\r\nAs done in the Source Firewall Modifications section, repeat the steps for the predefined WinRM rule.\r\nSetting the Predefined set of computers option to Local subnet is recommended. This rule can be\r\nchanged to best suit your environment.\r\n \r\n Figure 19: The Event Collector Firewall allowing Local subnet to Connect\r\n \r\nGroup Policy Firewall Problem\r\nWhile viewing a subscription in Event Viewer, the following error may appear. As the dialog states, a\r\nfirewall exception needs to be applied or a firewall setting was modified incorrectly. Verify that when\r\nyou enabled the predefined firewall rules via a Group Policy that the firewall profile for the rule is\r\nenabled as well. A more detailed error message can be obtained by providing the name of the desired\r\nsubscription (subscriptionID):\r\nwecutil get-subscriptionruntimestatus SubscriptionID\r\n \r\n Figure 20: Event Viewer Subscription Creation Error\r\n \r\n2.8 Disabling WinRM and Windows Collector Service\r\nWindows Remote Management (WinRM) and Event Forwarding can be disabled from operating in the\r\nnetwork. These services can be stopped in the Services Microsoft Management Console (MMC) snap-in.\r\nEach subscription created and in use should be disabled on the event collector server.\r\n \r\nTo disable collection of events on the event collector server:\r\n1. Open Services MMC snap-in\r\n2. Right-click the Windows Remote Management service and select Properties\r\n3. Change the Startup type to Disabled\n\n20\r\n4. In Services status option, select Stop\r\n5. Click OK\r\n6. Repeat steps 1 through 5 for the Windows Event Collector service\r\n \r\nWinRM can be disabled on each source that was configured by a GP. The following steps are performed\r\non the Domain Controller for domains using WinRM and Event Forwarding:\r\n \r\n1. Open Group Policy Management Editor\r\n2. Navigate to Computer Configuration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e\r\nSystem Services\r\n3. Right-click the Windows Remote Management service and select Properties\r\n4. Set Startup type to Disabled\r\n5. Click OK\r\n6. Navigate to Computer Configuration \u003e Policies \u003e Administrative Templates \u003e Event Forwarding\r\n7. Set the Configure the server address, refresh interval, and issuer certificate authority of a\r\ntarget Subscription Manager policy to Disabled\r\n8. Click OK\r\n \r\nRepeat the above steps for any additional OUs that use Event Forwarding and WinRM.\r\n3 Hardening Event Collection\r\nWindows Remote Management (WinRM) provides security options for authentication and uses other\r\nsecurity technologies to encrypt communication channels. This section explains how to securely\r\nconfigure WinRM.\r\n \r\n3.1 WinRM Authentication Hardening Methods\r\nWinRM configuration is divided into two parts: service and client. The service configuration is used to\r\nmanage the WinRM service that receives WS-Management requests from clients. [18]\r\n \r\nThe following methods of authentication are supported by WinRM: [19]\r\n \r\nx Basic Authentication\r\nx Digest Authentication\r\nx Credential Security Support Provider (CredSSP)\r\nx Negotiate Authentication\r\nx Kerberos Authentication\r\nx Client Certificate-based Authentication\r\nx Channel Binding Token\r\n \r\nThe authentication methods for the WinRM client and service can be located by navigating to Computer\r\nConfiguration \u003e Policies \u003e Administrative Templates \u003e Windows Components \u003e Windows Remote\r\nManagement (WinRM). WinRM Service and WinRM Client authentication methods are respectively\r\nshown in Figure 21 and Figure 22.\r\n \r\n18 http://technet.microsoft.com/en-us/library/cc775103(v=ws.10).aspx\r\n19 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372(v=vs.85).apsx\n\n21\r\n \r\nThe client has the option to set Digest Authentication, while the service does not. Additionally, the\r\nservice can allow hardening of WinRM TLS connections using channel binding tokens.\r\n \r\n Figure 21: WinRM Service Authentication Policies\r\n Figure 22: WinRM Client Authentication Policies\r\nThe Allow unencrypted traffic policy is not part of authentication. Default value for both Client and\r\nService configuration of the aforementioned policy is Disabled. Setting this policy to Disabled is\r\nrecommended.\r\n3.1.1 Basic Authentication\r\nThe client can use basic authentication to communicate with a WinRM service. Setting the Allow Basic\r\nauthentication to Disabled is recommended.\r\n \r\nDefault Client Configuration: True\r\nDefault Service Configuration: False\r\n \r\nSetting both to Disabled is recommended.\r\n3.1.2 Digest Authentication\r\nThis mode of authentication is a challenge-response scheme. The client will initiate the request and in\r\nresponse, the server will send a server-specified token string to the client. After the token string has\r\nbeen received, the client will append the resource request with the username of the client, the hash of\r\nthe username’s password, and the token string to the response message. [19]\r\n \r\nThe WinRM service does not accept digest authentication as shown in Figure 21. [20][21]\r\n \r\nDefault Service Configuration: Not Applicable\r\nDefault Client Configuration: True\r\n \r\nSetting the client configuration to False is recommended.\r\n \r\nSetting the Disallow Digest Authentication policy to Enabled is recommended.\r\n 20 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384295(v=vs.85).aspx 21 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372(v=vs.85).aspx\n\n22\r\n3.1.3 Credential Security Support Provider\r\nCredential Security Support Provider (CredSSP) provides a secure way to delegate a user’s credentials\r\nfrom a client to a target server. [19][22][23] The SSP provides the capability of Single Sign-on (SSO) in\r\nTerminal Services sessions. [23] This option is only available for WinRM 2.0. Setting the Allow CredSSP\r\nauthentication policy to Disabled is recommended.\r\n \r\nDefault Client Configuration: False\r\nDefault Service Configuration: False\r\n \r\nSetting both to Disabled is recommended.\r\n3.1.4 Negotiate Authentication\r\nNegotiate authentication is a Security Support Provider (SSP) that provides a client two alternative\r\nmethods for authentication: Kerberos and NTLM. [24][25][26] Negotiate will initially select Kerberos as the\r\ndefault; otherwise, NTLM is used. [19]\r\n \r\nDefault Client Configuration: True\r\nDefault Service Configuration: True\r\n \r\nDisabling Negotiate authentication may result in unforeseen problems when trying to configure WinRM\r\nlocally. It is recommended to complete configuration of the event collection network prior to enforcing\r\nthis policy. Issuing the WinRM command with the remote destination switch containing the local host\r\nvalue while the client machine is part of a domain, WinRM will use Negotiate authentication. [27] If an\r\nerror arises stating Negotiate authentication is disabled, a workaround is to use Kerberos locally by\r\nspecifying the local hostname in the remote switch. [28] Setting the Disallow Negotiate Authentication\r\npolicy to Enabled is recommended.\r\n \r\nSetting both to Enabled is recommended.\r\n3.1.5 Kerberos Authentication\r\nKerberos version 5 is used as a method of authentication and communication between the service and\r\nclient. [29][30][31] Setting the Disallow Kerberos Authentication policy to Disabled is recommended.\r\n \r\nDefault Client Configuration: True\r\nDefault Service Configuration: True\r\n \r\nSetting both to Disabled is recommended.\r\n \r\n22 ([MS-CSSP]: Credential Security Support Provider (CredSSP) Procotol, 2012)\r\n23 http://technet.microsoft.com/en-us/library/cc749211(WS.10).aspx\r\n24 http://technet.microsoft.com/en-us/library/cc755084(v=ws.10).aspx 25 (Installation and Configuration for Windows Remote Management, 2012)\r\n26 http://msdn.microsoft.com/en-us/library/windows/desktop/aa378748(v=vs.85).aspx\r\n27 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384295(v=vs.85).aspx\r\n28 WinRM errorcode 0x803380E1\r\n29 http://www.ietf.org/rfc/rfc1510.txt\r\n30 http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx\r\n31 http://technet.microsoft.com/en-us/library/cc753173(v=ws.10).aspx\n\n23\r\n3.1.6 Client Certificate-Based Authentication\r\nServices can verify the connecting client’s authenticity by examining its certificate. If the authentication\r\nprocess fails, then the client’s connection is rejected.\r\n \r\nDefault Client Configuration: True\r\nDefault Service Configuration: False\r\n \r\nSetting both to False is recommended.\r\n \r\nThere is no Group Policy setting to disable Certificate-Based Authentication for WinRM’s client\r\nconfiguration. The only alternative is via the command line:\r\n \r\nwinrm set winrm/config/client/auth @{Certificate=”false”}[32]\r\n \r\nAccessing each source to manually configure this setting is not recommended. This authentication\r\nrecommendation should be set on the collector.\r\n3.1.7 Channel Binding Token\r\nA common threat amongst NTLM, NTLMv2, and Kerberos authentication methods is a Man-in-the-Middle (MitM) attack. [33] Channel Binding Token (CBT) authentication option involves securing\r\ncommunication channels between a client and server using Transport Layer Security (TLS). A MitM\r\nattacker is positioned between a client and a server to impersonate as both the server and client. When\r\nthe client initiates a request to the server, the attacker captures the client’s first request and forwards it\r\nto the server on the client’s behalf. The server responds with an authentication request. The attacker\r\nreceives the server’s request and forwards the request to the client. When this request is received by\r\nthe client, the client sends their credentials as a response. As previously done, these credentials are sent\r\nto the attacker because the client assumes it is communicating with the server and now the attacker can\r\naccess the resource. [34][35][36]\r\n \r\nCBT improves the security of the communication channel between the server and the client. If a MitM is\r\nbeing conducted, then the two connections will generate two different tokens (sessions in particular;\r\nserver-to-attacker and client-to-attacker). When the CBT-aware server notices this discrepancy, it will\r\nrefuse the authentication request. Note, this option is not available prior to WinRM 2.0.\r\n \r\nChannel Binding Tokens option can be set to: [37]\r\nx None - Not using any CBTs\r\nx Relaxed - Any invalid tokens are rejected, but any channel without a binding token will be\r\naccepted\r\nx Strict - Any request with an invalid channel token is rejected\r\n \r\nDefault Service Configuration: Relaxed\r\n \r\n32 If you get an error regarding Negotiate authentication failed after applying hardening authentication methods, see Troubleshooting section in\r\nAppendix and the Negotiate Authentication section.\r\n33 Securing Windows Networks: Security Advice From The Front Line by Robert Hensing – Microsoft PSS Security;\r\nhttp://it.northwestern.edu/bin/docs/windows_network.ppt 34 http://msdn/microsoft.com/en-us/library/vstudio/dd767318(v=vs.90).aspx\r\n35 http://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx 36 http://tools.ietf.org/html/rfc5056\r\n37 Specify channel binding token hardening level policy within Windows Remote Management \u003e WinRM Service on Windows Server 2008 R2.\n\n24\r\n \r\nIf using TLS, setting the Specify channel binding token hardening level policy to Strict is recommended;\r\notherwise, set the policy to Disabled.\r\n \r\n \r\n3.1.8 Trusted Host\r\nTrusted Host authentication is used for computers not using HTTPS or Kerberos for authentication. [38] A\r\nlist of computers (non-domain members) can be provided and marked trusted. These computers, when\r\nusing WinRM, will not be authenticated. [21]\r\n \r\nDefault Client Configuration: False\r\n \r\nSetting the Trusted Hosts policy to Disabled is recommended unless collection from non-domain\r\nsources required.\r\n3.2 Secure Sockets Layer and WinRM\r\nEvent Forwarding is not solely for domain joined computers. Computers not joined to a domain can use\r\nthe Event Forwarding feature of Windows under the condition that TLS/SSL is used. WinRM traffic\r\nbetween the collector and source, domain or non-domain computers, are encrypted either using\r\nWindows Integrated Authentication or HTTPS respectively. [20][39][90] The message payload of WinRM’s\r\nHTTP traffic is encrypted using one of the three authentication methods provided by Integrated\r\nWindows Authentication: Negotiate, Kerberos, or CredSSP. [40][41][83] The default encryption method used\r\nfor WinRM’s HTTP traffic is Kerberos or Negotiate; otherwise TLS/SSL is used. [42][43] WinRM for non-domain computer uses client certificate mapping to authenticate the collector and source. The general\r\nsteps consist of configuring the listening port, creating certificates for collectors and sources, configuring\r\nthe subscription manager, creating certificates, and configuring subscriptions. A more detailed\r\nexplanation of configuring WinRM to use TLS/SSL for non-domain computers is provided by Microsoft.\r\n[14][43]\r\n4 Recommended Events to Collect\r\nThis section contains a basic set of events recommended for central collection and review by\r\nadministrators. The presence of a collected event is not necessarily malicious, and should be reviewed in\r\nthe appropriate context. Event logs provide a record of activities that can be referenced when malicious\r\nactivity is discovered on a workstation. Microsoft has released a document titled Best Practices for\r\nSecuring Active Directory [44] focusing on several topics from defending against different attacks on\r\nActive Directory installations to recommending an extensive list of events to monitor in a domain. The\r\nevents recommended herein are critical to identify behavior and health of a machine.\r\n \r\nCollection of the certain recommended events (e.g., account logons) require Domain Controllers or\r\nMember servers to be configured for Event Forwarding as a source. Certain events (e.g., account\r\n \r\n38 http://technet.microsoft.com/en-us/magazine/ff700227.aspx\r\n39 http://support.microsoft.com/kb/2019527\r\n40 http://msdn.microsoft.com/en-us/library/cc251574.aspx\r\n41 http://technet.microsoft.com/en-us/security/advisory/974926\r\n42 winrm help config\r\n43 http://support.microsoft.com/kb/2019527 44 http://www.microsoft.com/en-us/download/details.aspx?id=38785\n\n25\r\nmanagement) are only generated on Domain Controllers in a domain setting whereas those same events\r\nare generated on the local machine in non-domain settings.\r\n4.1 Application Whitelisting\r\nApplication whitelisting events should be collected to look for applications that have been blocked from\r\nexecution. Any blocked applications could be malware or users trying to run unapproved software.\r\nSoftware Restriction Policies (SRP) is supported on Windows XP and above. The AppLocker feature is\r\navailable for Windows 7 and above Enterprise and Ultimate editions only. [45] Application Whitelisting\r\nevents can be collected if SRP or AppLocker are actively being used on the network.\r\n \r\n ID Level Event Log Event Source\r\nAppLocker Block 8003\r\n8004\r\nError\r\nWarning\r\nMicrosoft-Windows-AppLocker/EXE and DLLMicrosoft-Windows-AppLocker\r\nAppLocker Warning 8006\r\n8007\r\nError\r\nWarning\r\nMicrosoft-Windows-AppLocker/MSI and ScriptMicrosoft-Windows-AppLocker\r\nSRP Block 865, 866,\r\n867, 868,\r\n882\r\nWarning Application Microsoft-Windows-SoftwareRestrictionPolices\r\nTable 2: Whilelisting Events\r\n4.2 Application Crashes\r\nApplication crashes may warrant investigation to determine if the crash is malicious or benign.\r\nCategories of crashes include Blue Screen of Death (BSOD), Windows Error Reporting (WER), Application\r\nCrash and Application Hang events. If the organization is actively using the Microsoft Enhanced\r\nMitigation Experience Toolkit (EMET), then EMET logs can also be collected.\r\n \r\n ID Level Event Log Event Source\r\nApp Error 1000 Error Application Application Error\r\nApp Hang 1002 Error Application Application Hang\r\nBSOD 1001 Error System Microsoft-Windows-WER-SystemErrorReporting\r\nWER 1001 Informational Application Windows Error Reporting\r\nEMET 1\r\n2\r\nWarning\r\nError\r\nApplication\r\nApplication\r\nEMET\r\nTable 3: Application Events\r\n4.3 System or Service Failures\r\nSystem and Services failures are interesting events that may need to be investigated. Service operations\r\nnormally do not fail. If a service fails, then it may be of concern and should be reviewed by an\r\nadministrator. If a Windows service continues to fail repeatedly on the same machines, then this may\r\nindicate that an attacker is targeting a service.\r\n \r\n ID Level Event Log Event Source\r\nWindows Service\r\nFails or Crashes\r\n7022, 7023, 7024, 7026, 7031, 7032, 7034 Error System Service Control Manager\r\nTable 4: System Events\r\n \r\n45 http://technet.microsoft.com/en-us/library/dd759131.aspx\n\n26\r\n4.4 Windows Update Errors\r\nA machine must be kept up to date to mitigate known vulnerabilities. Although unlikely, these patches\r\nmay sometimes fail to apply. Failure to update issues should be addressed to avoid prolonging the\r\nexistence of an application issue or a vulnerability in the operating system or an application.\r\n \r\n ID Level Event Log Event Source\r\nWindows Update\r\nFailed\r\n20, 24, 25, 31,\r\n34, 35\r\nError Microsoft-Windows-WindowsUpdateClient/OperationalMicrosoft-Windows-WindowsUpdateClient\r\nHotpatching Failed 1009 Informational Setup Microsoft-Windows-Servicing\r\nTable 5: Windows Update Failed Events\r\n4.5 Windows Firewall\r\nIf client workstations are taking advantage of the built-in host-based Windows Firewall, then there is\r\nvalue in collecting events to track the firewall status. For example, if the firewall state changes from on\r\nto off, then that log should be collected. Normal users should not be modifying the firewall rules of their\r\nlocal machine.\r\n \r\n ID Level Event Log Event Source\r\nFirewall Rule Add 2004 Informational Microsoft-Windows-Windows Firewall With\r\nAdvanced\r\nSecurity/Firewall\r\nMicrosoft-Windows-Windows Firewall\r\nWith Advanced Security\r\nFirewall Rule Change 2005 Informational Microsoft-Windows-Windows Firewall With\r\nAdvanced\r\nSecurity/Firewall\r\nMicrosoft-Windows-Windows Firewall\r\nWith Advanced Security\r\nFirewall Rules Deleted 2006,\r\n2033\r\nInformational Microsoft-Windows-Windows Firewall With\r\nAdvanced\r\nSecurity/Firewall\r\nMicrosoft-Windows-Windows Firewall\r\nWith Advanced Security\r\nFirewall Failed to load\r\nGroup Policy\r\n2009 Error Microsoft-Windows-Windows Firewall With\r\nAdvanced\r\nSecurity/Firewall\r\nMicrosoft-Windows-Windows Firewall\r\nWith Advanced Security\r\nTable 6: Firewall Events\r\nThe above events for the listed versions of the Windows operating system are only applicable to\r\nmodifications of the local firewall settings.\r\n4.6 Clearing Event Logs\r\nIt is unlikely that event log data would be cleared during normal operations and it is likely that a\r\nmalicious attacker may try to cover their tracks by clearing an event log. When an event log gets cleared,\r\nit is suspicious. Centrally collecting events has the added benefit of making it much harder for an\r\nattacker to cover their tracks. Event Forwarding permits sources to forward multiple copies of a\r\ncollected event to multiple collectors thus enabling redundant event collection. Using a redundant event\r\ncollection model can minimize the single point of failure risk.\r\n \r\n ID Level Event Log Event Source\r\nEvent Log was Cleared 104 Informational System Microsoft-Windows-Eventlog\r\nAudit Log was Cleared 1102 Informational Security Microsoft-Windows-Eventlog\r\nTable 7: Log Activity Events\n\n27\r\n4.7 Software and Service Installation\r\nAs part of normal network operations, new software and services will be installed, and there is value in\r\nmonitoring this activity. Administrators can review these logs for newly installed software or system\r\nservices and verify that they do not pose a risk to the network.\r\n \r\n ID Level Event Log Event Source\r\nNew Kernel Filter Driver 6 Informational System Microsoft-Windows-FilterManager\r\nNew Windows Service 7045 Informational System Service Control Manager\r\nNew MSI File Installed 1022,\r\n1033\r\nInformational Application MsiInstaller\r\nNew Application\r\nInstallation\r\n903,\r\n904[46]\r\nInformational Microsoft-Windows-Application-Experience/Program-Inventory[47]\r\nMicrosoft-Windows-Application-Experience\r\nUpdated Application 905,\r\n906[46]\r\nInformational Microsoft-Windows-Application-Experience/Program-InventoryMicrosoft-Windows-Application-Experience\r\nRemoved Application 907,\r\n908[46]\r\nInformational Microsoft-Windows-Application-Experience/Program-InventoryMicrosoft-Windows-Application-Experience\r\nSummary of Software\r\nActivities\r\n800 Informational Microsoft-Windows-Application-Experience/Program-InventoryMicrosoft-Windows-Application-Experience\r\nUpdate Packages Installed 2 Informational Setup Microsoft-Windows-Servicing\r\nWindows Update Installed 19 Informational System Microsoft-Windows-WindowsUpdateClient\r\nTable 8: Software and Service Events\r\n \r\nIt should be noted that an additional Program Inventory event ID 800 is generated, on Windows 7, daily\r\nat 12:30 AM to provide a summary of application activities (e.g., numbers of new application\r\ninstallation).[48] Event ID 800 is generated on Windows 8 as well under different circumstances. This\r\nevent is beneficial to administrators seeking to identify the number of applications were installed or\r\nremoved on a machine.\r\n4.7.1 Program Data Updater\r\nAdministrators may have a process of inventorying software installed on clients. Windows has a\r\ncomponent, Application-Experience, which tracks the activities of adding and removing software.\r\n \r\nThe Program-Inventory log file is used by a scheduled task called Program Data Updater under Microsoft\r\n\u003e Windows \u003e Application Experience of the Task Scheduler. Program Data Updater is described as an\r\napplication that “collects program telemetry information if opted-in to the Microsoft Customer\r\nExperience Improvement Program.”[49] It is not required to be opted-in to the Microsoft Customer\r\nExperience Improvement Program (CEIP) to generate event ID 800, 903, 904, 905, 906, 907, or 908.\r\n \r\nThese events do not apply to standalone executables.\r\n4.8 Account Usage\r\nUser account information can be collected and audited. Tracking local account usage can help detect\r\nPass the Hash activity and other unauthorized account usage. Additional information such as remote\r\ndesktop logins, users added to privileged groups, and account lockouts can also be tracked. User\r\n \r\n46 These events only apply to Windows 7 as they were removed in Windows 8+.\r\n47 Full Log Path is Applications and Services Logs \u003e Microsoft \u003e Windows \u003e Application-Experience \u003e Program-Inventory 48 Trigger information for Application Experience was taken from ProgramDataUpdater scheduled task\r\n49 This description can be found under the General tab of the task called ProgramDataUpdater.\n\n28\r\naccounts being promoted to privileged groups should be audited very closely to ensure that users are in\r\nfact supposed to be in a privileged group. Unauthorized membership in privileged groups is a strong\r\nindicator that malicious activity has occurred.\r\n \r\n ID Level Event Log Event Source\r\nAccount Lockouts 4740 Informational Security Microsoft-Windows-Security-Auditing\r\nUser Added to\r\nPrivileged Group\r\n4728, 4732,\r\n4756\r\nInformational Security Microsoft-Windows-Security-Auditing\r\nSecurity-Enabled group\r\nModification\r\n4735 Informational Security Microsoft-Windows-Security-Auditing\r\nSuccessful User\r\nAccount Login\r\n4624 Informational Security Microsoft-Windows-Security-Auditing\r\nFailed User Account\r\nLogin\r\n4625 Informational Security Microsoft-Windows-Security-Auditing\r\nAccount Login with\r\nExplicit Credentials\r\n4648 Informational Security Microsoft-Windows-Security-Auditing\r\nTable 9: Account Activity Events\r\n \r\nLockout events for domain accounts are generated on the domain controller whereas lockout events for\r\nlocal accounts are generated on the local computer.\r\n4.8.1 Account Management Event ID Fields\r\nAccount activity events contain multiple fields describing what specific action was performed, and by\r\nwhom. There are certain fields that warrant further explanation. [50] Event ID 4624 consists of six fields\r\non Windows 7: Subject, Logon Type, New Logon, Process Information, Network Information, and\r\nDetailed Authentication Information.\r\n \r\nThe Subject field identifies who requested the logon. The New Logon and Network Information fields\r\nprovide respective information about the new account logon and the origin of the request. Process\r\nInformation and Detailed Authentication is used to identify the process that performed the logon\r\nrequest and the authentication mechanism used.\r\n \r\nIn event ID 4624, the sub-field Security ID of the Subject section may have NULL SID as a value. NULL SID\r\nis an account identifier (SID: S-1-0-0) used for unknown SID values. [51]\r\n4.9 Kernel Driver Signing\r\nIntroduction of kernel driver signing in the 64-bit version of Windows Vista significantly improves\r\ndefenses against insertion of malicious drivers or activities in the kernel. [52] Any indication of a\r\nprotected driver being altered may indicate malicious activity or a disk error and warrants investigation.\r\n \r\n \r\n50 Event ID 4624 provides details of each field at the end of the event.\r\n51 http://technet.microsoft.com/en-us/library/cc778824(v=ws.10).aspx\r\n52 http://msdn.microsoft.com/en-us/library/windows/hardware/ff548231(v=vs.85).aspx\n\n29\r\n ID Level Event Log Event Source\r\nDetected an invalid\r\nimage hash of a file\r\n5038 Informational Security Microsoft-Windows-Security-Auditing\r\nDetected an invalid\r\npage hash of an\r\nimage file\r\n6281 Informational Security Microsoft-Windows-Security-Auditing\r\nCode Integrity Check 3001, 3002,\r\n3003, 3004,\r\n3010, 3023\r\nWarning, Error Microsoft-Windows-CodeIntegrity/OperationalMicrosoft-Windows-CodeIntegrity\r\nFailed Kernel Driver\r\nLoading\r\n219\r\n \r\nWarning System Microsoft-Windows-Kernel-PnP\r\nTable 10: Kernel Driver Signing Events\r\n4.10 Group Policy Errors\r\nManagement of domain computers permits administrators to heighten the security and regulation of\r\nthose machines with Group Policy. The inability to apply a policy due to a group policy error reduces the\r\naforementioned benefits. An administrator should investigate these events immediately.\r\n \r\n ID Level Event Log Event Source\r\nInternal Error 1125 Error System Microsoft-Windows-GroupPolicy\r\nGeneric Internal Error 1127 Error System Microsoft-Windows-GroupPolicy\r\nGroup Policy Application Failed due to Connectivity 1129 Error System Microsoft-Windows-GroupPolicy\r\nTable 11: Group Policy Errors Events\r\n4.11 Windows Defender Activities\r\nSpyware and malware remain a serious problem and Microsoft developed an antispyware and antivirus,\r\nWindows Defender, to combat this threat. [53] Any notifications of detecting, removing, preventing these\r\nmalicious programs should be investigated. In the event Windows Defender fails to operate normally,\r\nadministrators should correct the issue immediately to prevent the possibility of infection or further\r\ninfection. If a third-party antivirus and antispyware product is currently in use, the collection of these\r\nevents is not necessary.\r\n \r\n \r\n53 http://windows.microsoft.com/en-us/windows-8/windows-defender\n\n30\r\n \r\nScan Failed 1005 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nDetected Malware 1006 Warning Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nAction on Malware Failed 1008 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nFailed to remove item from\r\nquarantine\r\n1010 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nFailed to update signatures 2001 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nFailed to update engine 2003 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nReverting to last known good set\r\nof signatures\r\n2004 Warning Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nReal-Time Protection failed 3002 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nUnexpected Error 5008 Error Microsoft-Windows-Windows\r\nDefender/Operational\r\nMicrosoft-Windows-Windows\r\nDefender\r\nTable 12: Windows Defender Activities Events\r\n4.12 Mobile Device Activities\r\nWireless devices are ubiquitous and the need to record an enterprise’s wireless device activities may be\r\ncritical. A wireless device could become compromised while traveling between different networks,\r\nregardless of the protocol used for communication (e.g., 802.11 or Bluetooth). Therefore, the tracking\r\nof which networks mobile devices are entering and exiting is useful to prevent further compromises. The\r\ncreation frequency of the following events depends on how often the device disconnects and\r\nreconnects to a wireless network. Each event below provides mostly similar information with the\r\nexception that additional fields have been added to certain events.\n\n31\r\n ID Level Event Log Event Source\r\nNetwork Connection\r\nand Disconnection\r\nStatus (Wired and\r\nWireless)\r\n10000,10001 Informational Microsoft-Windows-NetworkProfile/OperationalMicrosoft-Windows-NetworkProfile\r\nStarting a Wireless\r\nconnection\r\n8000, 8011 Informational Microsoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nSuccessfully\r\nconnected to\r\nWireless connection\r\n8001 Informational Microsoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nDisconnect from\r\nWireless connection\r\n8003 Informational Microsoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nWireless Association\r\nStatus\r\n11000, 11001,\r\n11002\r\nInformational\r\nError\r\nMicrosoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nWireless Security\r\nStarted, Stopped,\r\nSuccessful, or Failed\r\n11004, 11005,\r\n11010, 11006\r\nInformational\r\nError\r\nMicrosoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nWireless Connection\r\nFailed\r\n8002 Error Microsoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nWireless\r\nAuthentication\r\nStarted and Failed\r\n12011, 12012\r\n12013\r\nInformational\r\nError\r\nMicrosoft-Windows-WLAN-AutoConfig/OperationalMicrosoft-Windows-WLAN-AutoConfig\r\nTable 13: Mobility related Events\r\n4.13 External Media Detection\r\nDetection of USB device (e.g., mass storage devices) usage is important in some environments, such as\r\nair gapped networks. This section attempts to take the proactive avenue to detect USB insertion at real-time. Event ID 43 only appears under certain circumstances. The following events and event logs are\r\nonly available in Windows 8 and above. Additional information can be found in the footnotes.\r\n \r\n ID Level Event Log Event Source\r\nNew Device\r\nInformation\r\n43[54] Informational Microsoft-Windows-USB-USBHUB3-Analytic[ 55][56]\r\nMicrosoft-Windows-USB-USBHUB3\r\nNew Mass Storage\r\nInstallation\r\n400[57] Informational Microsoft-Windows-Kernel-PnP/Device ConfigurationMicrosoft-Windows-Kernel-PnP\r\nNew Mass Storage\r\nInstallation\r\n410[57] Informational Microsoft-Windows-Kernel-PnP/Device ConfigurationMicrosoft-Windows-Kernel-PnP\r\nTable 14: External Media Detection Events\r\n \r\nMicrosoft-Windows-USB-USBHUB3-Analytic is not an event log per se; it is a trace session log that stores\r\ntracing events in an Event Trace Log (.etl) file. The events created by Microsoft-Windows-USB-USBHUB3\r\npublisher are sent to a direct channel (i.e., Analytic log) and cannot be subscribed too for event\r\ncollection. [58] Administrators should seek an alternative method of collecting and analyzing this event\r\n(43).\r\n \r\n54 This event is generated for any USB 2.0 and 3.0 devices being inserted into an USB 3.0 port. The respective event log was not introduced until\r\nWindows 8.\r\n55 This is an Analytic log (i.e., this is an Event Tracing for Windows, ETW, trace session log). These logs are disabled by default. When the\r\nchannel is enabled, ETW will start processing this event.\r\n56 http://technet.microsoft.com/en-us/library/cc749492.aspx\r\n57 This event is generated for any USB device being inserted into any USB port (2.0 or 3.0). However, this event is only generated once (the first\r\ntime the device is introduced into the system). 58 http://msdn.microsoft.com/en-us/library/aa385225.aspx\n\n32\r\n4.14 Printing Services\r\nDocument printing is essential for daily operations in many environments. The vast amount of printing\r\nrequests increases the difficulty in tracking and identifying which document was printed and by whom.\r\nDocuments forwarded to a printer for processing can be recorded for logging purposes in multiple ways.\r\nEach printing job can be logged either by a printing server, the printer itself, or the requesting machine.\r\nThe logging of these activities permits early detection of printing certain documents. The following event\r\nis generated on the client machine requesting to print a document. The event listed below may be\r\nproduced excessively depending on printing activity. This event should be treated as a historical record\r\nor an additional piece of evidence rather than an auditing record of printing jobs.\r\n \r\n ID Level Event Log Event Source\r\nPrinting Document 307 Informational Microsoft-Windows-PrintService/OperationalMicrosoft-Windows-PrintService\r\nTable 15: Printing Services Events\r\n \r\nThis operational log is disabled by default and requires the log to be enabled to capture this event.\r\n4.15 Pass the Hash Detection\r\nTracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to\r\nconfigure more advanced filtering options. The event query language is based on XPath. The\r\nrecommended QueryList below is limited in detecting PTH attacks. These queries focus on discovering\r\nlateral movement by an attacker using local accounts that are not part of the domain. The QueryList\r\ncaptures events that show a local account attempting to connect remotely to another machine not part\r\nof the domain. This event is a rarity so any occurrence should be treated as suspicious.\r\n \r\nThese XPath queries below are used for the Event Viewer’s Custom Views.\r\n \r\nThe successful use of PtH for lateral movement between workstations would trigger event ID 4624, with\r\nan event level of Information, from the security log. This behavior would be a LogonType of 3 using\r\nNTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. To\r\nclearly summarize the event that is being collected:\r\n \r\nEventID Log Level LogonType Authentication Package Name\r\n4624 Security Information 3 NTLM\r\n \r\nIn the QueryList below, substitute the \u003cDOMAIN NAME\u003e section with the desired domain name.\n\n33\r\n\u003cQueryList\u003e\r\n \u003cQuery Id=\"0\" Path=\"ForwardedEvents\"\u003e\r\n \u003cSelect Path=\"ForwardedEvents\"\u003e\r\n *[System[(Level=4 or Level=0) and (EventID=4624)]]\r\n and\r\n *[EventData[Data[@Name='LogonType'] and (Data='3')]]\r\n and\r\n *[EventData[Data[@Name='AuthenticationPackageName'] = 'NTLM']]\r\n and\r\n *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]\r\n and\r\n *[EventData[Data[@Name='TargetDomainName'] != '\u003cDOMAIN NAME\u003e']]\r\n\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n\u003c/QueryList\u003e\r\n \r\nA failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This\r\nwould have a LogonType of 3 using NTLM authentication where it is not a domain logon and not the\r\nANONYMOUS LOGON account. To clearly summarize the event that is being collected:\r\n \r\nEventID Log Level LogonType Authentication Package Name\r\n4625 Security Information 3 NTLM\r\n \r\n\u003cQueryList\u003e\r\n \u003cQuery Id=\"0\" Path=\"ForwardedEvents\"\u003e\r\n \u003cSelect Path=\"ForwardedEvents\"\u003e\r\n *[System[(Level=4 or Level=0) and (EventID=4625)]]\r\n and\r\n *[EventData[Data[@Name='LogonType'] and (Data='3')]]\r\n and\r\n *[EventData[Data[@Name='AuthenticationPackageName'] = 'NTLM']]\r\n and\r\n *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]\r\n and\r\n *[EventData[Data[@Name='TargetDomainName'] != '\u003cDOMAIN NAME\u003e']]\r\n\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n\u003c/QueryList\u003e\r\n \r\n4.16 Remote Desktop Logon Detection\r\nRemote Desktop account activity events are not easily identifiable using the Event Viewer GUI. When an\r\naccount remotely connects to a client, a generic successful logon event is created. A custom Query Filter\r\ncan aid in clarifying the type of logon that was performed. The query below shows logins using Remote\r\nDesktop. Remote Desktop activity should be monitored since only certain administrators should be\r\nusing it, and they should be from a limited set of management workstations. Any Remote Desktop logins\r\noutside of expected activity should be investigated.\r\n \r\nThe XPath queries below are used for the Event Viewer’s Custom Views. Event ID 4624 and Event ID\r\n4634 respectively indicate when a user has logged on and logged off with RDP. A LogonType with the\r\nvalue of 10 indicates a Remote Interactive logon. [59]\r\n \r\n \r\n59 http://msdn.microsoft.com/en-us/library/windows/desktop/aa380129(v=vs.85).aspx\n\n34\r\n \r\nEventID Log Level LogonType Authentication Package Name\r\n4624 Security Information 10 Negotiate\r\n4634 Security Information 10 N/A\r\n \r\n\u003cQueryList\u003e\r\n \u003cQuery Id=\"0\" Path=\"ForwardedEvents\"\u003e\r\n \u003cSelect Path=\"ForwardedEvents\"\u003e\r\n\u003c!-- Collects Logon and Logoffs of RDP --\u003e\r\n\u003c!-- Remote Desktop Protocol Connections --\u003e\r\n *[System[(Level=4 or Level=0) and (EventID=4624 or EventID=4634)]]\r\n and\r\n *[EventData[Data[@Name='LogonType']='10')]]\r\n and\r\n(*[EventData[Data[5]='10')]]\r\n or\r\n *[EventData[Data[@Name='AuthenticationPackageName'] = 'Negotiate']])\r\n\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n\u003c/QueryList\u003e\r\n \r\n5 Event Log Retention\r\nIt is recommended that the Forwarded Events log file on the server designated as the central point for\r\nlog collection is set to a size of approximately 1GB and enable the Archive the log when full, do not\r\noverwrite events policy to control the behavior when the event log has reach capacity. The theoretical\r\nmaximum log file size for the forwarded events log on Windows Server 2008 R2 is 2 terabytes [60], but as\r\nthe log file becomes larger the Event Viewer UI takes longer to load and show results for custom views.\r\nDepending on the size of the network, a 1GB forwarded events log file can hold anywhere from a few\r\nhours to a few days worth of log data. Due to this size limitation, it is important to review the log\r\nregularly (once a day) and setup archiving, or alternatively feed the log data into some larger Security\r\nInformation Event Management (SIEM) system.\r\n \r\nIt may be beneficial to have the Forwarded Events log file reside on a larger and separate disk. An\r\nalternative option is to store the Forwarded Events log file on a network mapped drive that has a large\r\namount of disk space. This slight modification can be completed by:\r\n \r\n1. Open Event Viewer\r\n2. Select Forwarded Events under Windows Logs and right-click Forwarded Events\r\n3. Select Properties\r\n4. Change Log Path to specify the absolute path to new log file\r\na. Network-mapped drives must be specified by their names (e.g., \\\\NetDrive\\newdir\\Fwd.evtx)\r\n5. Select OK\r\n \r\nThis modification will not affect custom views or subscriptions already deployed.\r\n \r\n \r\n60 http://technet.microsoft.com/en-us/library/hh125924(v=ws.10).aspx\n\n35\r\nClient workstations and servers in DoD should follow the DISA STIG for setting the size of other log files\r\n(Application, System, Setup, and Security). [61][62]\r\n \r\nThe maximum log file sizes are intended for the server whose role is the event collection server of the\r\ndomain. Client machines do not need to specify a maximum log size or retention policy on log files not\r\nmentioned in the DISA STIG. When Event Forwarding is properly configured, all subscribed (collected)\r\nevents from those logs not mentioned by the DISA STIG will be sent to the collector for archiving.\r\n6 Final Recommendations\r\nThe central collection of event information helps enterprises gain significant awareness into activities\r\noccurring on the network. Collecting targeted events has the benefit of reducing network and storage\r\nrequirements while providing useful audit information. Targeted event collection reduces the burden\r\nand time required for administrators to review logs which may lead to administrators detecting\r\nunapproved or malicious activities.\r\n7 Appendix\r\nPowerShell scripts and subscription XML files associated with this guide can be on found on the IAD\r\nGitHub site at https://github.com/iadgov\r\n7.1 Subscriptions\r\nEvent Forwarding on Windows uses subscriptions to specify which events from a set of computers to\r\ncollect. This section discusses the details of subscriptions and custom subscriptions for Windows 7\r\ncomputers.\r\n \r\nThe sample subscription files in this section can be copied as XML files and loaded into the event\r\ncollector using the command line tool, wecutil.exe. Each of the sample subscriptions do not specify\r\nwhom is permitted to use the subscriptions (AllowedSourceDomainComputers is blank). The creation of\r\nthe sample subscription can be completed by executing the following commands in order:\r\n \r\n1. wecutil cs \u003cxml_file_path\u003e.xml\r\na. An error stating The subscription fails to activate will appear so ignore it\r\n2. wmic path Win32_group where name=’EventSource’ get sid\r\na. Store this value temporarily\r\n3. Obtain the value of the SubscriptionId element from the subscription XML file\r\n4. Using the SID value found in step 2, correct the subscriptions configuration by executing wecutil\r\nss SubscriptionId /adc:O:NSG:BAD:P(A;;GA;;;sid_value)S:\r\n5. To verify that no issues are present, execute wecutil rs SubscriptionId\r\n \r\nThe parameter /adc of wecutil is used to set a Security Descriptor Definition Language (SDDL) for the\r\ntargeted subscription. SDDL is briefly discussed in the Security Descriptor Definition Language section.\r\n \r\n61 DISA STIG: Windows 7 Security Technical Implementation Guide Version 1. Group ID (Vulid): V-26579, V-26580, V-26581, V-26582 62 DISA STIG: Windows Server 2008 R2 Security Technical Implementation Guide Version 1. Group ID (Vulid): V-26579, V-26580, V-26581, V-26582\n\n36\n7.1.1 Subscription XML Details\nA subscription is simply a XML file that describes to the operating system what event logs to collect and\nforward. The following subscription example demonstrates the collection of all events in the Application\nlog from a source (client). The targeted sources are the Domain Computers group and the Domain\nControllers group. This subscription example is for testing purposes as it will collect a large amount of\nevents and is not recommended for production use. The example below conforms to the MS-WSMV:\nWeb Services Management Protocol Extensions for Windows Vista, as the subscription was created on\nWindows Server 2008 R2. [63]\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\nApplication LogSourceInitiatedtruehttp://schemas.microsoft.com/wbem/wsman/1/windows/EventLogMinLatency30000 \u003c![CDATA[\n*[System[(Level=0 or Level=\n1 or Level=2 or Level=3 or Level=4 or Level=5)]]\n]]\u003e falseHTTPRenderedTextForwardedEventsMicrosoft-Windows-EventCollector O:NSG NSD (A;;GA;;;DC)(A;;GA;;;DD) The following table details each node of the above subscription: [63]\n\n63 wecutil ss -?\n\n37\r\nNode Description\r\nSubscription The subscription schema\r\nSubscriptionId The subscription’s identification\r\nDescription Describes the subscription\r\nEnabled Specifies if the current subscription is enabled or disabled\r\nUri The type of event used by the subscription.\r\nConfigurationMode\r\n \r\nUsed for the Event Delivery Optimization of subscriptions.\r\nThe four valid options are:\r\nNormal, MinLatency, MinBandwidth or Custom\r\nDelivery Mode\r\n \r\nIndicates how events should be sent to the subscription manager. The mode can\r\neither be: Push (Source-Initiated) or Pull (Collector-Initiated)\r\nQueryList Used for event filtering and \u003cSelect\u003e\u003c/Select\u003e is a XPath query [ 64]\r\nHeartbeat Used to validate the client’s connectivity with subscription [ 65]\r\nReadExistingEvents Notifies the subscription to read all events matching the filter [64]\r\nTransportName Indicates that either HTTP or HTTPS will be used\r\nContentFormat Specifies how the event data will be given to the subscription manager [64]\r\nLocale Language that the response is translated too [64]\r\nLogFile The event log file where the received events will be stored at\r\nPublisherName The name of the publisher that owns or imports the log file\r\nAllowedSourceNonDomainComputers List the allowed non-domain computers that can receive the subscription\r\nAllowedSourceDomainComputers List the allowed domain computers that can receive the subscription\r\nTable 16: Subscription XML Description\r\n7.1.2 Sample Subscriptions to Collect Recommended Events\r\nSample subscriptions provided in conjunction with this security guidance can be found in\r\nSubscriptions\\NT6 and Subscriptions\\samples directories of the EvtFwdSubscriptions_r.zip ZIP file. This\r\ncompressed file consists of scripts and subscriptions to automate the use of Event Collection. These\r\nsubscriptions collect the recommended events discussed in the Recommended Events to Collect section\r\nof this guide. These subscriptions targets event collected from Windows 7 and above workstations.\r\n7.2 Event ID Definitions\r\nThis guidance document has given a list of event IDs to be aware of when monitoring activity. This list is\r\nnot complete nor should it be the only set of events to be collected. Each environment will most likely\r\nfocus on specific events or currently using a third party application for event monitoring.\r\n \r\nMicrosoft’s Events and Errors Message Center web site provides a central location for identifying some\r\nevent IDs for each Windows operating system. [66] Effective use of this resource requires an event ID, or\r\nsome other information about the event, is known beforehand.\r\n \r\nWindows Server 2003 auditing event ID listings can be found in two locations [67]\r\nx Auditing Policy from Windows Server 2003: Security and Protection:\r\nhttp://technet.microsoft.com/en-us/library/cc779526(v=ws.10).aspx\r\nx Chapter 4 of the Windows Server 2003 Security Guide:\r\nhttp://technet.micosoft.com/library/cc163121.aspx\r\n \r\nWindows Server 2008 and Windows Server 2008 R2 events and errors details for general OS\r\ncomponents can be found on Microsoft’s TechNet website\r\nx Windows Server 2008: Events and Errors\r\nhttp://technet.microsoft.com/en-us/library/cc754424(v=ws.10).aspx\r\n \r\n64 ([MS-WSMV]: Web Services Management Protocol Extensions for Windows Vista, 2012)\r\n65 (Web Services Management - WS-MAN, 2008) 66 http://www.microsoft.com/technet/support/ee/ee_advanced.aspx 67 http://blogs.msdn.com/b/ericfitz/archive/2007/10/12/list-of-windows-server-2003-events.aspx\n\n38\r\n \r\nWindows Server 2008 Component-Based Servicing events\r\nx Update and package related events:\r\nhttp://technet.microsoft.com/en-us/library/cc756291(v=ws.10).aspx\r\n \r\nWindows 7 and above AppLocker Event IDs and definitions:\r\nx http://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx\r\n \r\nWindows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 security audit events\r\nare provided by Microsoft either by a support article or a downloadable Excel file. [68][69][70] The Windows\r\noperating system, beginning with Windows Vista, provides a command line tool, wevtutil, to list all\r\nevent IDs raised by a publisher along with the event’s message. [71]\r\n \r\nThe Windows Events Command Line Utility can obtain information regarding event logs and publishers.\r\n[72] The following command will get the publisher (gp/get-publisher), obtain information on events that\r\nthe publisher uses, and produce readable messages for each event. This command can be applied to any\r\npublisher to obtain a list of all their events.\r\n \r\nwevtutil gp Microsoft-Windows-Security-Auditing /ge:true /gm:true[73]\r\n \r\nThe mapping of security event IDs between Windows XP and the latest versions of Windows can be\r\nrevealed in some cases by a simple addition or subtraction of 409610/0x100016. [74] This rule is not\r\napplicable to events dealing with successful and failed logons. [74]\r\n7.3 Windows Remote Management Versions\r\nThere have been five versions of WinRM since its introduction in Windows Server 2003 R2 as of this\r\nwriting. The following table correlates each WinRM version to a supported Windows operating system\r\nversion. [75]\r\n \r\n \r\n68 http://www.microsoft.com/en-us/download/details.aspx?id=17871\r\n69 http://support.microsoft.com/kb/947226\r\n70 http://www.micrsoft.com/en-us/download/details.aspx?id=21561\r\n71 wevtutil /?\r\n72 http://technet.microsoft.com/en-us/library/cc732848(WS.10).aspx\r\n73 http://blogs.microsoft.com/b/ericfitz/archive/2007/07/31/documentation-on-the-windows-vista-and-windows-server-2008-security-events.aspx\r\n74 http://blogs.msdn.com/b/ericfitz/archive/2009/06/10/mapping-pre-vista-security-events-ids-to-security-events-ids-in-vista.aspx 75 http://technet.microsoft.com/en-us/library/ff520073(v=ws.10).aspx\n\n39\r\nVersion Support\r\nWinRM 0.5 Windows Server 2003 R2*\r\nWinRM 1.0 Windows Vista\r\nWinRM 1.1 Windows Vista SP1\r\nWindows Server 2008\r\nWindows Server 2003 SP1**\r\nWindows Server 2003 SP2**\r\nWindows Server 2003 R2**\r\nWindows XP SP2**\r\nWinRM 2.0 Windows 7\r\nWindows Server 2008 R2\r\nWindows Server 2008 SP1***\r\nWindows Server 2008 SP2***\r\nWindows Vista SP1***\r\nWindows Vista SP2***\r\nWindows XP SP3***\r\n \r\nWinRM 3.0\r\nWindows 8\r\nWindows 7 SP1****\r\nWindows Server 2008 SP1****\r\nWindows Server 2008 SP2****\r\nTable 17: WinRM Version Correlation\r\n* = Installed from the Add/Remove System Components feature within the Hardware Management feature\r\n** = Install WS-Management v1.1. [76]\r\n*** = Installed as part of the Windows Management Framework Core package. [77][78] This update requires at least Microsoft .NET Framework\r\n2.0 Service Pack 1. [79]\r\n**** = Installed as part of Windows Management Framework 3.0. This update requires at least Microsoft .NET Framework 4.0. [80]\r\n \r\nInstallation packages for WinRM can be found in knowledge base articles, shown below.\r\n \r\nWinRM Version (KB#) Supported OS KB URIs\r\nWinRM 1.1 (KB936059) Windows Server 2003 SP1\r\nWindows Server 2003 SP2\r\nWindows XP SP2\r\nWindows XP SP3*\r\nhttp://support.microsoft.com/kb/936059 + \r\n \r\nWinRM 2.0 (KB968930) Windows Server 2003 SP2\r\nWindows Server 2008\r\nWindows Server 2008 SP2\r\nWindows Vista SP1\r\nWindows Vista SP2\r\nWindows XP SP2*\r\nWindows XP SP3\r\nhttp://support.microsoft.com/kb/968930 + \r\n* Requires Microsoft Windows Installer 3.1\r\n* Requires .NET Framework 2.0 SP1\r\n \r\nWinRM 3.0 (KB2506146) Windows 7 SP1\r\nWindows Server 2008 R2 SP1\r\nWindows Server 2008 SP2\r\n \r\nhttp://support.microsoft.com/kb/2506146 + \r\n* Requires .NET Framework 4.0\r\n* Update comes with Release Notes\r\nTable 18: WinRM Version Update URLs\r\n \r\nMicrosoft published a knowledge base article (KB936059)[81] and an update for WinRM 1.1. [82] The\r\nknowledge base article offers additional post-installation information to the update that is not\r\nmentioned in this document. The actual update can be applied to Windows XP SP2, Windows Server\r\n2003 SP1, Windows Server 2003 SP2, and Windows 2003 Server R2.\r\n \r\n76 https://www.microsoft.com/en-us/download/details.aspx?id=21900\r\n77 https://www.microsoft.com/en-us/download/details.aspx?id=9864\r\n78 https://www.microsoft.com/en-us/download/details.aspx?id=16818\r\n79 https://www.microsoft.com/en-us/download/details.aspx?id=16614\r\n80 https://www.microsoft.com/en-us/download/details.aspx?id=34595 81 http://support.microsoft.com/kb/936059\r\n82 https://www.microsoft.com/en-us/download/details.aspx?id=21900\n\n40\r\n7.4 WinRM 2.0 Configuration Settings\r\nThe quick configuration option of WinRM uses the following default configuration settings on Windows\r\nServer 2008 R2. [21][83] Default values of WinRM configuration settings are shown and referenced from\r\nMicrosoft Developer Network (MSDN) in this document for convenience. [21] The following WinRM\r\ncommand displays the configuration setting of WinRM\r\nwinrm get winrm/config\r\n \r\nIt produces the following example output:\r\nConfig\r\n MaxEnvelopeSizekb = 150\r\n MaxTimeoutms = 60000\r\n MaxBatchItems = 32000\r\n MaxProviderRequests = 4294967295\r\n Client\r\n NetworkDelayms = 5000\r\n URLPrefix = wsman\r\n AllowUnencrypted = false\r\n Auth\r\n Basic = true\r\n Digest = true\r\n Kerberos = true\r\n Negotiate = true\r\n Certificate = true\r\n CredSSP = false\r\n DefaultPorts\r\n HTTP = 5985\r\n HTTPS = 5986\r\n TrustedHosts\r\n Service\r\n RootSDDL = O NSG BAD P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)\r\n MaxConcurrentOperations = 4294967295\r\n MaxConcurrentOperationsPerUser = 15\r\n EnumerationTimeoutms = 60000\r\n MaxConnections = 25\r\n MaxPacketRetrievalTimeSeconds = 120\r\n AllowUnencrypted = false\r\n Auth\r\n Basic = false\r\n Kerberos = true\r\n Negotiate = true\r\n Certificate = false\r\n CredSSP = false\r\n CbtHardeningLevel = Relaxed\r\n DefaultPorts\r\n HTTP = 5985\r\n HTTPS = 5986\r\n IPv4Filter = *\r\n IPv6Filter = *\r\n EnableCompatibilityHttpListener = false\r\n EnableCompatibilityHttpsListener = false\r\n CertificateThumbprint\r\n Winrs\r\n AllowRemoteShellAccess = true\r\n IdleTimeout = 180000\r\n MaxConcurrentUsers = 5\r\n MaxShellRunTime = 2147483647\r\n MaxProcessesPerShell = 15\r\n MaxMemoryPerShellMB = 150\r\n MaxShellsPerUser = 5\r\n \r\nEach of field of the above output is described in the following sections.\r\n7.4.1 Protocol Settings\r\nThese settings are configurable options for the WS-Management protocol used by WinRM.\r\n \r\n \r\n83 ([MS-WSMV]: Web Services Management Protocol Extensions for Windows Vista, 2012)\n\n41\r\nParameters Description\r\nMaxEnvelopeSizekb The Simple Object Access Protocol (SOAP) data size has maximum in kilobytes\r\n \r\nDefault is 150 kilobytes\r\nMaxTimeoutms Each push request (not pull) has a maximum timeout. This value is in milliseconds.\r\n \r\nDefault is 60000ms (60 seconds)\r\nMaxBatchItems The limit of elements used in a pull response.\r\n \r\nDefault for WinRM 1.1 and earlier: 20\r\nDefault for WinRM 2.0: 32000\r\nMaxProviderRequests The limit on concurrent requests.\r\n \r\nDefault for WinRM 1.1 and earlier: 25\r\nDefault for WinRM 2.0: Unsupported/Undefined\r\nTable 19: Protocol Settings\r\n7.4.2 Client Configuration\r\nThe following parameters configures on how the WinRM client operates.\r\nParameters Description\r\nNetworkDelayms A time buffer for the client computer to wait in milliseconds.\r\n \r\nDefault WinRM 1.1 and earlier: 5000\r\nDefault WinRM 2.0: 5000\r\nURLPrefix The type of URLPrefix used on request for HTTP or HTTPS requests.\r\n \r\nDefault WinRM 1.1 and earlier: wsman\r\nDefault WinRM 2.0: wsman\r\nAllowUnencrypted Clients are allowed to request unencrypted traffic.\r\n \r\nDefault WinRM 1.1 and earlier: false\r\nDefault WinRM 2.0: false\r\nAuth Specifies which authentication method is allowed for the client computer\r\nDefaultPorts Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443\r\nDefault WinRM 2.0: HTTP = 5985, HTTPS = 5986\r\nTrustedHosts These trusted hosts do not need to be authenticated.\r\nTable 20: WinRM Client Configuration\r\n7.4.3 WinRM Service\r\nThe following parameters are used by the WinRM service.\n\n42\r\nParameters Description\r\nRootSDDL The security descriptor for remotely accessing the listener\r\n \r\nDefault WinRM 1.1 and earlier:\r\nO:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)\r\nDefault WinRM 2.0: O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)S:P(AU;FA;GA;;;WD)\r\nMaxConcurrentOperations The maximum number of concurrent operations.\r\n \r\nDefault WinRM 1.1 and earlier: 100\r\nDefault WinRM 2.0: replaced with MaxConcurrentOperationPerUser\r\nMaxConcurrentOperationsPerUser The limit of concurrent operation for each user on the same system.\r\n \r\nDefault WinRM 1.1 and earlier: Not available\r\nDefault WinRM 2.0: 15\r\nEnumerationTimeoutms The idle timeout between pull messages in milliseconds.\r\n \r\nDefault WinRM 1.1 and earlier: 60000\r\nDefault WinRM 2.0: 60000\r\nMaxConnections The maximum number of simultaneous active requests that can be processed.\r\n \r\nDefault WinRM 1.1 and earlier: 5\r\nDefault WinRM 2.0: 25\r\nMaxPacketRetrievalTimeSeconds The limit on the number of seconds to retrieve a packet.\r\n \r\nDefault WinRM 1.1 and earlier: Not available\r\nDefault WinRM 2.0: 120\r\nAllowUnencrypted Clients are allowed to request unencrypted traffic.\r\n \r\nDefault WinRM 1.1 and earlier: false\r\nDefault WinRM 2.0: false\r\nAuth Specifies which authentication method is allowed for the client computer.\r\nDefaultPorts Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443\r\nDefault WinRM 2.0: HTTP = 5985, HTTPS = 5986\r\nIPv(4/6) Filter The IP for the WinRM service to listen on.\r\n \r\nDefault WinRM 1.1 and earlier: Any\r\nDefault WinRM 2.0: Any\r\nEnableCompatibilityHttpListener Service listens on port 80 and port 5985.\r\n \r\nWinRM 1.1 and earlier: Not supported\r\nEnableCompatibilityHttpsListener Service listens on port 443 and port 5986.\r\n \r\nWinRM 1.1 and earlier: Not supported\r\nCertificateThumbprint The certificate thumb print used for https.\r\n \r\nWinRM 1.1 and earlier: Not supported\r\nTable 21: WinRM Service\r\n7.4.4 WinRS\r\nWindows Remote Shell (WinRS) is turned on by default. The recommendation is to disable it. Each of the\r\nparameters for WinRS will use the default value if no policy is configured. [84][21]\r\n \r\n \r\n84 http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx\n\n43\r\nParameters Description\r\nAllowRemoteShellAccess Permit remote shell access\r\nIdleTimeout The time, in milliseconds, before a shell connection is terminated.\r\nMaxConcurrentUsers Maximum number of users that can request shell access at one time\r\nMaxShellRunTime Maximum duration, in milliseconds, that command can run for. This\r\nvalue is not configurable in WinRM 2.0.\r\nMaxProcessesPerShell Maximum number of processes that a single shell can create.\r\nMaxMemoryPerShellMB Maximum number of memory that a single shell can use.\r\nMaxShellsPerUser Maximum number of shells a user can create.\r\nTable 22: WinRS Configuration Settings\r\n7.5 WinRM Registry Keys and Values\r\nThroughout this document, registry keys can be used for verification purposes only. Do not to modify\r\nany registry keys as this may cause unforeseen problems and possible system corruption. The following\r\nregistry keys appear once a Domain Controller configures WinRM via Group Policies.\r\n \r\nRegistry Values Description\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1 Subscription Manager\r\nregistry key\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowConfig\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\IPv4Filter\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\IPv6Filter\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowBasic\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowUnencryptedTraffic\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowCredSSP\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowKerberos\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\CBTHardeningLevelStatus\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\CbtHardeningLevel\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowNegotiate\r\nWinRM Service\r\nregistry keys\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowBasic\r\nHKLM \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowUnencryptedTraffic\r\nHKLM \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowCredSSP\r\nHKLM \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowDigest\r\nHKLM \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowKerberos\r\nHKLM \\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowNegotiate\r\nWinRM Client registry\r\nkeys\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\WinRS\\AllowRemoteShellAccess\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\WINRS\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\WINRS\\CustomRemoteShell\r\nWindows Remote Shell\r\nregistry keys\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\CertMap\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Client\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Listener\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Listener\\*+HTTP\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\EventForwarding Plugin\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Service\r\nWSMAN Services\r\nregistry keys\r\nTable 23: WinRM, WinRS, WSMAN and Event Forwarding Registry Values\r\n7.5.1 Security Descriptor Definition Language\r\nThe language in the AllowedSourceDomainComputers node is called Security Descriptor Definition\r\nLanguage (SDDL). [85] A subscription can be customized to target single or multiple users, computers, or\r\ngroups. The SID value of any of the aforementioned entities can be used to configure the targeted\r\nsubscription’s SDDL.\r\n \r\n \r\n85 http://msdn.micosoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx\n\n44\r\nMicrosoft provided the SDDL structure as shown: [86]\r\n \r\nO: Owner_SID\r\n G: Group_SID\r\n D: DACL_FLAGS(string_ace1)(string_ace2)…. (string_aceN)\r\n S: SACL_FLAGS(string_ace1)(string_ace2)…. (string_aceN)\r\n \r\nstring_ace are optional Access Control Entries.\r\n \r\nACE has the following structure: [87]\r\n(AceType;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSID;resource_attribute)\r\n \r\nThere is also an option to use conditional ACE; however, that will not be discussed here. [88]\r\n \r\nAn example of a SDDL is:\r\nO:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)\r\n \r\nThe breakdown of O:NSG:NSD: is shown:\r\n \r\nSID and Flags Description\r\nO: Network Service\r\nG: Network Service\r\nD: None\r\n \r\nString_ACE breakdown of (A;;GA;;;DC) (A;;GA;;;NS)\r\n \r\nString_ACE1 String_ACE2\r\n(A;;GA;;;DC) (A;;GA;;;NS)\r\nAceType = “A” = ACCESS_ALLOWED_ACE_TYPE AceType = “A” = ACCESS_ALLOWED_ACE_TYPE\r\nAceFlags = None AceFlags = None\r\nRights = “GA” = GENERIC_ALL Rights = “GA” = GENERIC_ALL\r\nObjectGuid = None ObjectGuid = None\r\nInheritObjectGuid = None InheritObjectGuid = None\r\nAccountSID = “DC” = Domain Computer AccoutSID = “NS” = Network Service\r\n \r\n7.6 Troubleshooting\r\nIssues may arise such as communication errors between the collectors and sources, authentication\r\nerrors, and subscriptions errors. WinRM issues can be investigated using certain command line options.\r\nDemystifying WinRM’s capabilities and behaviors can be achieved by using the help option of WinRM.\r\n[89] If any troubleshooting is to be performed while enforcing the authentication recommendations of\r\nthis guide, then append the –remote:TARGET option to the winrm command. The TARGET should be the\r\nlocal hostname if the issue involves the local machine.\r\n \r\nThe listing below is not an exhaustive list to identify all issues with WinRM. These commands are helpful\r\nto diagnose common errors. [90][91][92]\r\n \r\n86 http://msdn.microsoft.com/en-us/library/aa379570(v=vs.85).aspx\r\n87 http://msdn.microsoft.com/en-us/library/aa374928(v=vs.85).aspx\r\n88 For curious readers, more information can be found at: http://msdn.microsoft.com/en-us/library/dd981030.aspx. 89 winrm help\r\n90 http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-management-troubleshooting.aspx\n\n45\r\n \r\nwinrm e winrm/config/listener\r\n \r\nWinRM can enumerate all listeners that WinRM is currently using.\r\n \r\nwinrm id –remote:TARGET\r\n \r\nThis command identifies (id) the remote machine (TARGET) by asking the remote machine its operating\r\nsystem version and WinRM version. The TARGET can be a NetBIOS name, Domain name, or FQDN.\r\nAlternatively, using the –auth:none option will force WinRM to not use authentication when requesting\r\ninformation from the remote machine. Using this option only provides a minimal set of details (version\r\nof WinRM only).\r\n \r\nThe identify option provide insight if communication between two WinRM parties are correct and not\r\ninterrupted. This interruption can be the result of a firewall blocking WinRM or WinRM not running.\r\n \r\nwinrm get wmi/root/cimv2/Win32_Service?Name=WinRM\r\n \r\nThis command provides useful information (e.g., ProcessID and Context WinRM runs in) regarding the\r\nWinRM service running on the local machine.\r\n \r\nwinrm invoke restore winrm/config @{}\r\n \r\nWinRM allows the restoration of default settings using the previous command.\r\n \r\nwinrm get winrm/config/client/auth\r\nwinrm get winrm/config/service/auth\r\n \r\nThese two commands display the configuration for both WinRM client and service. Viewing\r\nconfiguration settings can help identify any possible incorrect configuration settings.\r\n \r\nwinrm helpmsg ERRORCODE\r\n \r\nWinRM error messages display the description of the error and an error code. The definition behind the\r\nerror code can be shown by executing the below command. The ERRORCODE needs to be supplied\r\nverbatim as it was displayed in the original error message (e.g., 0x80070005 means Access Denied).\r\nThese errors are Win32 error codes.\r\n \r\nwinrm help auth\r\n \r\n 91 http://msdn.microsoft.com/en-us/library/windows/desktop/ee309364(v=vs.85).aspx\r\n92 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384295(v=vs.85).aspx#enabling_auth_options\n\n46\r\nGenerally, WinRM produces an error message when authentication fails. The service provides a second\r\noption to help the authentication process. A detailed explanation of different authentication methods\r\nused by WinRM can be viewed using the above command.\r\n \r\nThe recommended method to satisfy WinRM is to supply the –remote option with the target hostname\r\n(local or remote). If the source is part of a domain, then executing this command requires an\r\nuninterrupted connection to the Domain Controller.\r\n \r\nAssume the command is being executed on a computer whose hostname is ABCD.\r\nwinrm get winrm/config –remote:ABCD\r\n7.6.1 Operational Logs\r\nWhile troubleshooting an issue, it is natural for one to look at the logs to help to identify a problem.\r\nEvent Forwarding and WinRM have operational logs that can be viewed in the Event Viewer or by using\r\nthe command line tool wevtutil.exe.\r\n \r\nThe operational log files for the Event Collector, Event Forwarding, and WinRM services can be found by\r\nnavigating to Applications and Services Logs in the Event Viewer on Windows Vista and later. The list\r\nbelow shows the location of the operational logs under Applications and Services Logs:\r\n \r\nx Microsoft \u003e Windows \u003e EventCollector \u003e Operational\r\nx Microsoft \u003e Windows \u003e Eventlog-ForwardPlugin \u003e Operational\r\nx Microsoft \u003e Windows \u003e Windows Remote Management \u003e Operational\r\n \r\nThe Eventlog-ForwardPlugin and Windows Remote Management operational logs are the locations\r\nthat the local WinRM service will log to. Querying the Event Forwarding log can be done by using the\r\nMicrosoft-Windows-Forwarding publisher with the command line tool wevtutil. An example of using\r\nwevtutil:\r\n wevtutil qe “LOGFILE/CHANNEL” /c:1 /rd:true /q:“XPATH_QUERY”\r\n \r\nIf LOGFILE is not within %SYSTEMROOT%\\system32\\Winevt\\Logs, the /lf option must be used with the\r\ntrue argument.\r\n \r\nThe help documentation of the wevutil tool provides more insight of the other capabilities of the tool.\r\nThis documentation can be found by executing the following command:\r\n \r\n wevutil /?\r\n7.6.2 WinRM Errors\r\nThere are numerous errors that WinRM can generate. Microsoft provides a table to easily identify\r\ncommon errors and solutions related to WinRM. [93] A list of event IDs associated with WinRM that\r\napplies to Windows Vista and above can be found on Microsoft’s TechNet site. [18]\r\n7.6.2.1 Creation of Subscription Errors\r\nNumerous errors could arise during subscription creation: Common errors include\r\n \r\n \r\n93 http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx#Troubleshoot_manageablility_status_errors\n\n47\r\nwecutil cs Subscriptions\\Logons.xml\r\n \r\nOne possible error message:\r\nThe subscription is saved successfully, but it can't be activated at this time. Use retry-subscription\r\ncommand to retry the subscription. If subscription is running, you can also use get-subscriptionruntimestatus command to get extended error status.\r\nError = 0x3ae8.\r\nThe subscription fails to activate.\r\n \r\nThis error may be caused by the WinRM Firewall exception rule being disabled. The error code that is\r\ndisplayed is a Win32 error code. The error code’s message is shown beneath it.\r\n \r\nAnother possible error message:\r\nFailed to open subscription. Error = 0x6b5.\r\nThe interface is unknown.\r\n \r\nThis error may be caused by the Windows Event Collector not running.\r\n \r\nSources will create subscriptions locally after receiving a list of subscriptions applicable to them. Certain\r\nsubscriptions may not be created on the sources due to permissions issues or non-existing logs. WinRM\r\nwill raise an Event ID 102 with a Win32 error code of 500410 in the Eventlog-ForwardingPlugin/Operational log. The error code states that a cluster resource is not available. [94] This\r\nerror code may be a result of the subscription attempting to access a log file that it does not permissions\r\nto access.\r\n \r\nVerify the channel’s (log file) permissions by navigating to\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels and\r\nlocating the channel of interest. Within the registry key of the desired channel, view the contents of the\r\nregistry value named ChannelAccess to identify the permissions of the channel. This previous error is\r\napplicable to Windows Vista and later.\r\n7.6.2.2 Access Denied Errors\r\nCertain operations of the WinRM command may result in access denied errors. These include:\r\n \r\nWSManFault\r\n Message = Access is denied.\r\n \r\nError number: -2147024891 0x80070005\r\nAccess is denied.\r\n \r\nx User needs to be part of local administration group, WinRMRemoteWMIUsers__, or domain\r\nadministrator [95][96]\r\nx The administrator password cannot be blank\r\nx Incorrect username or password\r\nx WMI operations need permissions to allow secure connections [97]\r\n \r\n94 ([MS-ERREF]: Windows Error Codes)\r\n95 http://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx\r\n96 WinRMRemoteWMIUsers__ is a new group in Windows 8 and above\n\n48\r\nx Windows Firewall service needs to be running\r\n7.6.3 XPath Query Diagnostic\r\nXPath queries used in subscriptions do not display errors to the user who created them when deployed\r\nto sources. Query errors are shown in the Applications and Services Logs \u003e Microsoft \u003e Windows \u003e\r\nEventlog-ForwardingPlugin \u003e Operational log on Windows Vista and later sources. Event ID 101 raised\r\nby the Event Forwarding plug-in is to notify the user an XPath query was incorrect as shown in the\r\nfollowing table:\r\n \r\nID Level Event Log Event Source Operating System\r\nVersion\r\n101 Warning\r\n(3)\r\nEventlog-ForwardingPlugin/OperationalEventlog-ForwardingPluginWindows Vista+\r\nTable 24: XPath Errors based on OS Version\r\nThe human-readable details of the event do not clearly indicate the reason why the event was raised.\r\nThe specific reason can be identified by viewing the XML details of the event. An error code of the XPath\r\nquery is hidden as part of the event data. The error code can be viewed by:\r\n \r\n1. Locating event ID 101 under the Eventlog-ForwardingPlugin \u003e Operational log\r\n2. Selecting the Details tab followed by selecting the XML view\r\n3. Under the EventData node exists a Data node named Status that shows the decimal value of a\r\nWin32 error code.\r\n \r\nA Win32 error code of 15001 indicates an invalid query of ERROR_EVT_INVALID_QUERY. [98]\r\n8 Works Cited\r\nDistributed Management Task Force, Inc. (2008, 02 12). Web Services Management - WS-MAN.\r\nRetrieved 10 01, 2012, from Distributed Management Task Force, Inc.:\r\nhttp://www.dmtf.org/standards/published_documents/DSP0226_1.0.0.pdf\r\nMicrosoft Corporation. (2012, 07 12). [MS-CSSP]: Credential Security Support Provider (CredSSP)\r\nProcotol. Retrieved 10 01, 2012, from Microsoft MSDN: http://msdn.microsoft.com/en-us/library/cc226764(v=prot.20).aspx\r\nMicrosoft Corporation. (2012, 07 15). [MS-ERREF]: Windows Error Codes. Retrieved 10 01, 2012, from\r\nMicrosoft MSDN: http://msdn.microsoft.com/en-us/library/cc231196.aspx\r\nMicrosoft Corporation. (2012, 07 05). [MS-WSMV]: Web Services Management Protocol Extensions for\r\nWindows Vista. Retrieved 10 01, 2012, from Microsoft MSDN: http://msdn.microsoft.com/en-us/library/cc251526(prot.20).aspx\r\nMicrosoft Corporation. (2011, 10 08). An update is available for the Windows Remote Management\r\nfeature in Windows Server 2003 and in Windows XP. Retrieved 10 01, 2012, from Microsoft Support:\r\nhttp://support.microsoft.com/kb/KB936059\r\nMicrosoft Corporation. (2012, 10 08). Installation and Configuration for Windows Remote Management.\r\nRetrieved 10 01, 2012, from Microsoft MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372.aspx\r\nMicrosoft Corporation. (2012, 10 16). Setting up a Source Initiated Subscription. Retrieved 10 01, 2012,\r\nfrom Microsoft MSDN: http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx\r\n 97 http://msdn.microsoft.com/en-us/library/aa384424(v=vs.85).aspx\r\n98 http://msdn.microsoft.com/en-us/library/windows/desktop/ms681384(v=vs.84).aspx\n\n49\n\nThe parameter targeted subscription. /adc of wecutil SDDL is is used to set briefly discussed a Security Descriptor in the Security Definition Descriptor Definition Language (SDDL) Language  for the section.\n61 DISA STIG: Windows 7 Security Technical Implementation Guide Version 1. Group ID (Vulid): V-26579, V-26580, V-26581, V-26582 \n62 DISA STIG: Windows Server 2008 R2 Security Technical Implementation Guide Version 1. Group ID (Vulid): V-26579, V-26580, V-26581, V\u0002\n26582       \n       35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"pdf"
	],
	"references": [
		"https://massarobi.wordpress.com/wp-content/uploads/2017/03/spotting-the-adversary-with-windows-event-log-monitoring.pdf"
	],
	"report_names": [
		"spotting-the-adversary-with-windows-event-log-monitoring.pdf"
	],
	"threat_actors": [],
	"ts_created_at": 1777429326,
	"ts_updated_at": 1777450887,
	"ts_creation_date": 1438248351,
	"ts_modification_date": 1438325591,
	"files": {
		"pdf": "https://archive.orkl.eu/9ae6ccf956e1b4a5fe8fd9c539df46685ca4c7cc.pdf",
		"text": "https://archive.orkl.eu/9ae6ccf956e1b4a5fe8fd9c539df46685ca4c7cc.txt",
		"img": "https://archive.orkl.eu/9ae6ccf956e1b4a5fe8fd9c539df46685ca4c7cc.jpg"
	}
}