Auditing Logon Events

... while studying in MS SPTK 70-290 ch 3 lesson 4: Securing and Troubleshooting Authentication ...

One of the confusing things about auditing in Windows is understanding the difference between "Logon Events" vs. "Account Logon Events" [SW2kSch9AaI].

Logon Events

• Logon Events are created when the session and token created or destroyed.


• Includes both users and computer events.


• When a user connects to a remote server a logon event is generated in the security log of the remote server.

Account Logon Events

• Account Logon Events are created when the authentication package validates a user's credentials.
• Includes both users and computer events.
• The authentication package could be Active Directory on a domain controller or the SAM on a member machine (computer) server or workstation.

This leaves me with the question of at what point is a Object Access event created?

SW2kSch9AaI = Securing Windows 2000 Server, ch 9 Auditing and Intrusion [http://technet.microsoft.com/en-us/library/cc751219.aspx]

Managing User Profiles

... while studying in MS SPTK 70-290 ch 3 lesson 3: Managing Profiles ...

Even after creating a new Default User profile in the NETLOGGON share of my Windows Server 2003 domain controller, Local Users still get thier default profile from the local machine.

VMware Server 1.x and Microsoft NLB/WLBS

While working on a NLB/WLBS cluster for Windows Server 2003 Terminal Services [MS SPTK 70-290 ch 2 lesson 5] I encountered a problem that had me stumped. I use VMware Server 1.0.6 to create my dev machines. I had configured NLB/WLBS clusters before with no difficulty, but could not get the same thing working with my virtual machines.

Each of the two cluster members had two vNICs installed and configured for different virtual switches on different subnets. One vNIC was for management and the other was for the NLB/WLBS cluster. I could configure the first node without problem but was never able to configure the second node: the second node never converged and eventually lost connectivity. On a fluke I discovered that after a reboot of my host and all virtual machines I noticed that the first node was no longer pingable but now the second node was pingable.

Some of the troubleshooing:

• Confirmed that the MAC address of the cluster vNIC was the same on both nodes after the cluster was configured using IPCONFIG on the local machine.
• Used the NLB Troubleshooting Overview for Windows® Server 2003 [http://www.microsoft.com/downloads/details.aspx?FamilyId=9E6F4999-AEEB-40CF-867B-AF68742FFFDC&displaylang=en].
• Confirmed compatibility of vNICs using CHKNIC [http://support.microsoft.com/kb/816910]. The VMware Server vNICs tested positive for compatibility with NLB.
• Verified configuration of Terminal Services [http://support.microsoft.com/kb/280805].
• See http://support.microsoft.com/kb/287672.
• Change default gateway [http://support.microsoft.com/kb/193602].

Google and VMTN finally provided the solution and an explanation: NLB in Unicast mode support? [http://communities.vmware.com/thread/42501]. The answer was to use Multicast, not Unicast for the NLB/WLSB cluster. After making the configuration change to my cluster it work right away.

MS SPTK 70-290= Microsoft Self-Paced Training Kit 70-290, ISBN 0-7356-2289-2

Groups and Group Nesting part 2

This is an attempt to enumerate the different Group Nesting Strategies and if applicable and notes on use. Based on what I have see so far, just because these strategies exist they do not necessarily represent a recommendation or best practice.

1. UGLR/AGDLP
   
   Users > domain Groups > Local groups > Resources a.k.a. AGDLP user Accounts > Global groups > Domain Local groups > Permissions. From the Windows NT 4 days. See also http://en.wikipedia.org/wiki/AGDLP
   
   


2. UGULR
   
   Users > domain Global group > Universal group > (Domain) Local group > Resource. Because of use of Universal group this requires Windows 2000 native or Windows Server 2003 domain function level.
   
   


3. AGGUDLP
   
   user Account > Global group > Global group > Universal Group > Domain Local group > Permissions. As above because of use of Universal group this requires Windows 2000 native or Windows Server 2003 domain function level. See http://groups.google.ca/group/microsoft.public.win2000.active_directory/browse_thread/thread/aaa50100100b2a22/1d1da2dc528e14cb?hl=en&lnk=st&q=AGGUDLP+AGDLP+windows+site%3Amicrosoft.com#1d1da2dc528e14cb
   
   

Microsoft has broken down the topic like this [MS DaDDaSS ch15]:

1. User/ACL
   
   * User accounts are added directly to ACL of Resource.
   * Does not scale well.
   * Usefull for sensitive Resources.
   
   


2. AG/ACL
   
   * Account Group added directly to ACL of Resource.
   * More scalable.
   * Groups can be nested iif Windows 2000 native or Windows Serve 2003 domain function level.
   * More work for Resource owner/administrator if different groups require different access. Therefore more AGs added to ACL.
   * Even more work for Resource owner/administrator iif Windows 2000 mixed or Windows Server 2003 interm due to restrictions on group nesting.
   
   


3. AG/RG
   
   * Account Group added directly to Resource Group. This implies obviously that Users are added to AGs and that RGs are added directly to Resources.
   * Scales better than AG/ACL.
   * Works well for groups of Resources such as printer pools.
   * Easier to revoke access. Domain administration rather than machine (computer) administration tools used.
   * Work could increase geometrically if many groups require different access. A new RG would be required fore every combination of Permissions per Resource.
   * Can be used independant of domain function level, especially if Windows 2000 mixed domain function level or ACLs are on Windows NT 4 machines (computers) --> see UGLR/AGLP above.

Throughout all of my studying and research into Active Directory one of the biggest questions I have had is why did Microsoft introduce Domain Local groups? Why not use local (machine) groups? I finally found the answer in the sub-section titled "Selecting Local Groups or Domain Local Groups as Resource Groups" [MS DaDDaSS ch15]:

• For both AG/ACL & AG/RG you can select either Local (machine) Groups or Domain Local Groups for use as Resource Groups.


• Domain Local groups can be managed anywhere in domain, but Local (machine) groups require access to the machine (computer) hosting the Resource.


• Obviously, Domain Local groups are visible in domain whereas Local (machine) groups are not.


• Group retirement is easier with Local (machine) groups because they disappear when the machine (computer) is decommisioned. Domain Local groups persist after machine (computer) is decommissioned therefore more work is required to ensure only the currently used groups are kept.


• Security Access Token will be larger. Security Acess Token includes the groups to which the user account is a member, but also the groups to which those groups below to until all group membership is resolved. (I need to figure out if/how Local (machine) groups apply.)


• Default maximum token size is 12000 bytes which can be changed. See Q327825.

The introduction of Security/Session/Access Tokens has got me researching this topic as well as PACs (Privilege Access Certificate). More later.

Groups and Group Nesting.

I am studying for my 70-290 exam (using the MS Self-Paced Training Kit) and am looking at Groups and Group Nesting. I remember from my MCSE (NT4) days about UGLR (Users > domain Groups > Local groups > Resources) a.k.a. AGDLP (user Accounts > Global groups > Domain Local groups > Permissions). This was farely easy to understand. But of course with Active Directory things got more interesting, mostly due to the distinction of the domain's functional level, group type, group scope.

First thing, know the domain function level [MS DaDDaSS p 210-211]. This is important if you are trying to figure out questions related to group nesting. The answer changes depending on the domain function level due to the requirement in some cases to be backward compatible with Windows NT domains.

1. Windows 2000 mixed
   
   Allows for Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. Because Windows NT 4 had no concept of Universal groups, they are not available, nor are domain group nesting options. Default when installing first domain in forest.
   
   


2. Windows Server 2003 interm
   
   Allows for Windows NT 4.0 and Windows Server 2003, but NOT Windows 2000 domain controllers. Same restrictions as Windows 2000 mixed. I'm not too clear why this even exists. I vaguely remember seeing something about migrating Windows NT 4 to Windows Server 2003. This requires more investigation.
   
   


3. Windows 2000 native
   
   Allows for Windows 2000 and Windows Server 2003. Because there is no requirement to accomodate Windows NT 4 domain controllers all of the features introduced in Windows 2000 Active Directory are enabled: Universal groups, AD group nesting, etc.
   
   


4. Windows Server 2003
   
   Allows Windows Server 2003, but not Windows 2000 domain controllers. New features unique to Windows Server 2003 Active Directory introduced: renaming of domain controllers, renaming domains not allowed (see below), inetOrgPerson can be used for authentication for other LDAP directories (eDirectory, OpenLDAP, etc), redirect new user and computer accounts to a specific OU, etc.

Of course this should not be confused with forest fuction levels [MS DaDDaSS p 212-213].

1. Windows 2000
   
   Allows Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. All default Active Directory features -- need to know that this means.
   
   


2. Windows Server 2003 interm
   
   Allows Windows NT 4 and Windows Server 2003 domain controllers. Advanced features: all default, linked value replication (???), improved replication (KCC) algorithims and scalability, more attributes added to GCs (Global Catalogues).
   
   


3. Windows Server 2003
   
   Allows Windows Server 2003 domain controllers only. Advanced features: convert inetOrgPerson to User object and back again, deactivation/redifinition of attributes and classes in schema, forest (vs. domain) trusts, rename domain name, etc.
   
   

Second, now that domain and forest function levels have been defined we move on to the break down of groups. One way of breaking down groups is to look at the scope. [MS DaDDaSS ch 15]

1. Local (machine) group
   
   All Windows NT based operating systems (Windows NT 3.x, Windows NT 4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008) allow you to create users and groups that are local to the computer. So by definition they are not visible in the domain.
   
   Distinction of domain or forest function level is irrelevent. (Maybe.)
   
   Members: Users from the same machine (computer) only.
   
   Members: Users, Groups from any trusted domain. (This needs to be verified for other domains in the same forest.)
   
   Member of: None.
   
   


2. Domain Local group
   
   Membership information is stored in the Domain Local group's domain.
   
   For Windows 2000 mixed and Windows Server 2003 interm domains
   
   Members: Due to the limitations of Windows NT 4 domain controller compatibility, these groups can contain Users, Computers, Global groups from any domain in the same forest or a trusted domain in another forest. (I need to see if this applies to both explicit domain trusts and forest trusts).
   
   Member of: Due to the limitations of Windows NT 4 domain controller compatibility, these groups are local to the domain controllers only. (I need to do some testing to verify that 2000 & 2003 behave like NT 4).
   
   For Windows 2000 native and Windows Server 2003 domains
   
   Members: Can contain Users, Computers, Global groups, Universal groups from any domain in the same forest or a trusted domain in another forest.
   
   Members: Can contain Domain Local groups from the same domain only. DL(n) > DL(m), where n<>m.
   
   Member of: Domain Local group from same domain only. DL(n) > DL(m), where n<>m.
   
   Member of: Windows Server 2003 Resource in the same domain only. (I need to verify this.)
   
   


3. (Domain) Global group
   
   Membership information is stored in the Global group's domain.
   
   For Windows 2000 mixed and Windows Server 2003 interm domains
   
   Members: Due to the limitations of Windows NT 4 domain controller compatibility, these groups can contain Users, Computers from the same domain only.
   
   Member of: Domain Local group from the same forest or a trusting domain in an other forest. (Need to verify this too.)
   
   For Windows 2000 native and Windows Server 2003 domains
   
   Members: Can contain Users, Computers, Global groups from the same domain only. As with Domain Local groups G(n) > G(m), where n<>m. (What about Universal groups?)
   
   Member of: Global groups from the same domain only. As with Domain Local groups G(n) > G(m), where n<>m. (What about Universal groups?)
   
   Member of: Domain Local group from any domain in the same forest or a trusting domain in another forest.
   
   


4. Universal groups
   
   Membership information is stored in Global Catalogues only.
   
   For Windows 2000 mixed and Windows Server 2003 interm domains
   
   Because Windows NT domains have no concept of Universal groups they are not available.
   
   For Windows 2000 native and Windows Server 2003 domains
   
   Members: Users, Computers, Global groups, Universal groups of any domain in the same forest. (What about trusted domains/forests?)
   
   Member of: Domain Local groups, Universal groups from of any domain in the same forest. (Again, what about trusted domains/forests?)

Thirdly, the next breakdown of groups is the group type: security or distribution list. Security groups are used when providing access (ACLs in Permissions), distribution lists are used by Microsoft Exchange 2000, 2003, 2007. The group type can be switched from security to distribution list and back again. This is usefull for temporarily disabling security groups by converting them to a distribution list. They retian thier membership information but are no longer valid for access [MS DaDDaSS p719].

MS DaDDaSS = Microsoft Designing and Deploying Directory and Security Services, ISBN 0-7356-1486-5

Hello world.

Woohoo. This is me blogging.