|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/9/2011 7:43:48 AM
Posts: 3,
Visits: 5
|
|
| I want to detect concurrent user logins within the domain. Audit log policy is implemented and workstation logs are saved on the AD. I examined the audit logs and Event ID 528 and 672 looks promising. However, I am not sure how can I detect concurrent logins through any of these events. Any help in this regard will be greatly appreciated.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Absolutely no way to do this. There is no cental place in Windows or AD that keeps track of who is logged on currently. Domain controllers only know when you authenticate and then forget about you - don't keep track of the actual logoon session. Each computer keeps track of the logon sessions to it and it only. There are tools out there that install an agent on every computer and server and report to a central server about logons and logoffs.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/9/2011 7:43:48 AM
Posts: 3,
Visits: 5
|
|
Dear Randy Smith,
Thank you very much for your reply. Now I did it using the OSSEC agent and the agent reports it to a central SIEM server. I have configured a policy on the SIEM server to look for Event ID 528 sub type 2 which is for interactive logins. Whenever two events of these types occur having same username and different IP, I am generating an alarm.
Your thoughts on this solution will be really valuable. Nevertheless, thank you once again for your reply!!
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Will work only if: 1. you are collecting events from every workstation. interactive logons are logged on the computer where the user is logged on interactively - not on the domain controller. if you logon interactively on your workstation witih a domain account, the event id 528 logon type 2 will be logged on the workstation. if you walk up to the keyboard and screen of a server and logon there - that is the only time you'll see event id 528 logon type 2 on the server (or if someone logging on via a KVMoverIP device of course) 2. you are looking for these 2 events within a reasonable time period. and what if someone logs onto workstation A and logs off and then logs onto workstation B within that time period. false positive. What if someone logs on to workstation A and remains logged on past your observation time window. Then also logs on to workstation B. No alert 3. don't use Source IP Address from the event for your comparison. Not filled in on interactive logons. Use computer name from header of event
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/9/2011 7:43:48 AM
Posts: 3,
Visits: 5
|
|
Your suggestions are indeed very valuable. I am taking logs from each workstation because as you said the Event ID 528 Login Type 2 is not collected on the AD. As regards the IP address, actually I have configured my correlation rule to take the IP of the OSSEC agent which is sending the logs. Since each workstation has its own agent, therefore, IP of the agent and the workstation machine is the same. There is no NAT involved so I can get those IPs. But I will develop custom regular expressions to extract the computer name and then perform a DNS resolution. That would be more elegant.
Your comments about the false positive and false negative is indeed correct. Actually in my scenario, I don't want the user to login into any other computer other than his designated one. So what I have decided is that I will designate one computer for each user in the AD so that he/she could login only to that computer. If the user ever try to login into another machine, a login failure will occur with the Event ID 533. Then I can collect those event IDs and generate the alarm. I think that would be a better option.
But thank you very much for your valuable suggestions and time. Really appreciated.
|
|
|
|