Security groups are a primary mechanism for assigning permissions or roles to security principals in Microsoft Windows operating systems. Each modern Windows operating system has a set of default built-in local security groups. Each such group has its own set of access permissions defined for operating system objects, and has specific user privileges, logon rights, and so on, because each group has its own purpose. Built-in local security groups cannot be deleted and each has a hardcoded relative identifier (RID), which is the last part of a unique security identifier (SID), assigned to it.
Windows allows you to easily create, delete, and add members to a security group and perform other operations with security groups. Because security groups are used to assign permissions to specific accounts or groups, which are members of these groups, it's important to have good monitoring mechanisms for all actions performed with local security groups, especially with high privileged groups, like the local Administrators group.
Non–domain-joined machines have only two types of security groups that can be used within a machine:
All non–built-in local security groups are stored in the Security Account Manager database at the following registry path:
. The path for built-in local security groups is HKLMSAMSAMDomainsAccountAliases
. Viewing the Security Account Manager database using Windows Registry Editor is explained in Chapter 5. Figure 6-1 shows an example of the Security Account Manager database with one manually created local security group named HKLMSAMSAMDomainsBuiltinAliases
.NewGroup
As you can see, security group properties are stored in the registry key as a hexadecimal value, which is the group's relative identifier (RID). In Figure 6-1, 000003E9, which is the RID of a newly created group named
. The registry value NewGroup
, located inside the C
registry key, contains the group's properties. If you open this 000003E9
value, you can even find a description of the security group.C
The
registry key contains all members of a specific security group. In the example in Figure 6-1, Members
has only one member in it.NewGroup
The
registry key contains group names. There is only one name in the example “NewGroup”, which is the name of the group related to 000003E9 registry key. Group names ordered the same way as group registry keys, so they have the same sequence.Names
In this chapter you learn about different scenarios related to local security groups, such as security group creation, deletion, and modification. You see which events appear in the Windows security event log for most common scenarios related to security groups.
Each modern Microsoft Windows version has a specific set of built-in local security groups, but these groups vary depending on operating system type (server or client) and version. Table 6-1 contains information about built-in security groups present in each modern Microsoft Windows operating system version.
Table 6-1: Built-in Local Security Groups by Microsoft Windows OS Version
GROUP NAME | 2008R2 | 2012/2012R2 | 2016 | WIN 7 | WIN 8/8.1 | WIN 10 |
Access Control Assistance Operators | + | + | + | + | ||
Administrators | + | + | + | + | + | + |
Backup Operators | + | + | + | + | + | + |
Certificate Service DCOM Access | + | + | + | |||
Cryptographic Operators | + | + | + | + | + | + |
Distributed COM Users | + | + | + | + | + | + |
Event Log Readers | + | + | + | + | + | + |
Guests | + | + | + | + | + | + |
Hyper-V Administrators | + | + | ||||
IIS_IUSRS | + | + | + | + | + | + |
Network Configuration Operators | + | + | + | + | + | + |
Performance Log Users | + | + | + | + | + | + |
Performance Monitor Users | + | + | + | + | + | + |
Power Users | + | + | + | + | + | + |
Print Operators | + | + | + | |||
RDS Endpoint Servers | + | + | ||||
RDS Management Servers | + | + | ||||
RDS Remote Access Servers | + | + | ||||
Remote Desktop Users | + | + | + | + | + | + |
Remote Management Users | + | + | + | + | ||
Replicator | + | + | + | + | + | + |
Storage Replica Administrators | + | |||||
System Managed Accounts Group | + | + | ||||
Users | + | + | + | + | + | |
WinRMRemoteWMIUsers__ | + | + | + |
As shown in Table 6-1 some operating system versions have specific built-in local security groups. For example, only Windows Server 2016 has a “Storage Replica Administrators” local security group.
One way to view the list of local security groups that exist on the system is to use the built-in “Computer Management” snap-in (
). Figure 6-2 shows an example of the Computer Management snap-in's output with the local security groups for the newly installed Windows 10 operating system.compmgmt.msc
The following sections describe each of local security groups listed in Table 6.1 and discuss which of these groups are critical to monitor and why.
Members of this group can remotely query authorization attributes and permissions for resources on the local computer. There is not much information available about access permissions this group has. It has no members in it by default. It is recommended to monitor any account added or removed from this group, because it is, usually, remains empty.
The built-in local Administrators security group is considered the most privileged built-in security group. Members of this group can perform any action on the local machine. It has one default member: the built-in Administrator account. It might also have other members created during installation, which is typical for client operating systems, or it might have members previously added to this group if the system was upgraded. This group should be considered as critical and any changes to it must be monitored. This group cannot be deleted, but can be renamed.
Members of this group can back up and restore files and folders on the system, shut down the system, log on as a batch job, and log on locally. Because of backup and restore privileges this group should be considered critical. These privileges allow users to take a copy of any file in the system, including the Security Account Manager database, and then perform any action with these files offline. This group cannot be deleted, but can be renamed. It is empty by default. You can find more information about user privileges in Chapter 11.
This group only applies to servers with the Certification Authority role installed. All security principals that need to enroll certificates from the Certification Authority must be a member of this security group on Certification Authority servers. Membership in this security group doesn't give accounts any critical privileges. This group should be considered as a low-privileged group. This group cannot be deleted, but can be renamed. It is empty by default.
The Federal Information Processing Standards Publication 140-2 (FIPS 140-2) defines a “Crypto Officer” role, which is represented by the Cryptographic Operators group in Windows.
When the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” security policy setting is configured in local or group policy objects, only members of the Cryptographic Operators group or the local Administrators group can configure Cryptography Next Generation (CNG) settings. Specifically, Cryptographic Operators can edit the cryptographic settings in the IPsec policy of Windows Firewall with Advanced Security (WFAS).
This security group is very rarely in use and doesn't have any critical permissions associated with it. This group should be considered a low-privileged group. This group cannot be deleted, but can be renamed. It is empty by default.
The Distributed COM Users group by default has the “Local Access” and “Remote Access” access permissions security limits set for all COM objects on the system. It also has the “Local Launch,” “Remote Launch,” “Local Activation,” and “Remote Activation” launch and activation permission security limits set for all COM objects on the system. These permissions can be set using the “Component Services” management console (
) as illustrated in Figure 6-3.comexp.msc
It is important to understand that by default Distributed COM Users group is included only in “Security Limits” and doesn't have any DCOM permissions by default. “Security Limits” defines the permissions limit for any COM object in the system. Basically, if COM application permissions will somehow get beyond the “Security Limits,” only permissions defined in the “Security Limits” will work. The Distributed COM Users group, theoretically, can have unlimited local and remote access for any COM application, if these permissions are set for that application manually. The criticality level of this group depends on individual settings for each COM application in the system. Members of this group, by default, cannot log on the system locally. This group has no members by default. I recommend considering this security group to be of medium importance and monitoring any change to it.
Members of this group can read any event log on the local system, but cannot log on into the system locally. This group has only read access to event logs. Membership in this group often includes other computers that monitor or query local log events, but this group is empty by default. It is recommended that this group is considered to be of medium criticality.
The Guests group is designed to provide guest access to the system if it's required. This group has similar permissions as the built-in Users group, but is more restricted. The only default member of this group is the Guest account. Members of this group, because of default local security policy settings, cannot log on to the system locally. If guest access is not needed, it is recommended to remove the Guest account from this group and performing monitoring of this group for any change, because no changes to this group should occur.
This group is designed for Hyper-V administrators. All members of this group have unrestricted access to all Hyper-V features on the local machine. Members of this group, by default, cannot log on in to the system locally. The importance level of this group depends on the importance of Hyper-V virtual machines, installed on the system. I recommend considering this group to be of low criticality, because this group exists only on Windows client operating systems, which don't typically have any critical virtual machines installed.
The IIS_IUSRS group is designed to be used by the Internet Information Services (IIS) component. IIS_IUSRS is the group for IIS Worker Process Accounts, which means the identity that the IIS application pool itself runs under. By default, if the Internet Information Services component is not installed, this group has no user privileges associated to it and has no members. After you install the IIS, this group gets the following privileges:
If the IIS component is not installed on the system this group has a low importance level. After the IIS component is installed, the IIS_IUSRS group gains the “Impersonate a client after authentication” privilege, which may be used to impersonate more privileged user accounts logged in to the machine using RPC, COM, or named pipes. The probability of such attacks is quite low, but still, I recommend treating this group as of high importance, because of “Impersonate a client after authentication” privileges, and monitoring any change to this group.
Network Configuration Operators group members can perform the following actions:
ipconfig/release
or ipconfig/renew
commandsBecause members of this group have the ability to change TCP/IP settings, this group should be considered as of high importance. By default this group is empty. I recommend that you monitor any change to this security group, because it is uncommon for this group to be in use.
This group is designed to provide access to measure system performance using performance counters, trace providers, and so on. The main difference between Performance Log Users and Performance Monitor Users is that Performance Log Users has Write access (can modify the logging schedule, for example), whereas Performance Monitor Users has only Read access. This group has the “Log on as a batch job” user privilege by default. I recommend considering this security group to be of low importance, because setting performance counters may affect overall system performance, but it is hard to use this functionality to compromise the system.
Members of this group can view real-time performance data in Windows Performance Monitor (
), and can change the Performance Monitor display properties while viewing real-time data. This group has only Read access permission to performance counter data. I recommend considering this group to be of low importance.Perfmon.msc
This group initially was designed to provide users limited administrative access to the system, such as installing software that does not modify operating system files or installing system services, running legacy applications, and so on. Starting from Windows Vista, Power Users permissions were reduced, mostly to provide access to some system configuration tasks, such as changing the system time zone. Usually, there is no need to use the Power Users group, but, because this group still has the ability to change some system settings, I would recommend considering this group to be of medium importance and monitoring any change to it.
This group is essentially designed for Active Directory Domain Controllers and on local servers it does not have any logon rights or user privileges assigned to it. Members of this group can modify, create, share, and delete printers connected to domain controllers in the domain. On standalone servers this group should remain empty. There is no need to use it, because it does not have any permissions and user rights associated to it on member servers.
Members of this group have “Allow log on through Remote Desktop Services” user privileges and are able to remotely log on to the local machine using a Remote Desktop connection. I recommend treating this group as a high importance group, because it provides remote access to the machine, and monitoring any change to this group.
This group is designed mainly to provide remote management access to the local machine using the WS-Management protocol (for example, remote connections using Server Management console use this protocol). This group also allows connection to the host using Windows Remote Management (WinRM) protocol, which is used, for example, by remote PowerShell connections. By default this group has no user rights assigned to it. Because this group provides remote access to the local machine, it should be considered as a high importance group and any change to this group should be monitored.
The Replicator group is designed to support Active Directory replication operations. This group should remain empty on member servers. It has no object permissions, logon rights, or user privileges associated to it on member servers. I recommend considering this group to be of low criticality on member servers.
The Storage Replica Administrators group is dedicated for Storage Replica feature administrators. Members of this group have full access to all Storage Replica features. By default this group is empty. If the Storage Replica feature is not in use, it has no object permissions, logon rights, or user privileges associated to it. I recommend considering this group as of low criticality on member servers.
This built-in security group is not well documented yet. It contains accounts managed by the operating system. This group provides full access for local machine account (Local System) to all members of this group. By default, this group has only one member in it, the DefaultAccount account. (See Chapter 5 for more information about the DefaultAccount account.) I recommend considering this group as of low criticality.
Any new local user account becomes a member of this security group by default right after it is created. The main purpose of this security group is to provide users with all the non-administrative functions needed to use the computer. Membership in this group does not provide any type of administrative access to the machine, but allows members to, for example, run applications which don't require elevation of privileges, use local and network printers, and lock the computer.
Windows server operating system versions have the following logon right and user privileges assigned to the Users security group:
Windows client versions additionally have the following user privileges assigned to the Users security group:
Basically speaking, the Users security group has more privileges on Windows client system versions than on server versions.
This group should be considered as of medium criticality; changes in this group might indicate local user account deletion or creation operation. Any change to this group should be monitored, especially on critical servers and workstations.
The WinRMRemoteWMIUsers__ group initially was designed to allow its members to run Windows PowerShell commands remotely. Starting from Windows 2016 and Windows 10 this group was completely replaced by the “Remote Management Users” security group. By default this group has no members and permissions assigned to it. Because this group provides remote access to the local machine, it should be considered as of high importance and any change to this group should be monitored.
Different actions can be performed with security groups: groups can be created, deleted, modified, and so on. All these scenarios generate different events in the Windows security event log. It's important to know which events are generated in the security event log for all typical operations and which useful information is available for monitoring in these events.
In this section of the chapter you will find information about security events generated during typical operations with local security groups.
You can use several methods to create a local security group, including the Computer Management console (
), Microsoft PowerShell commands, the compmgmt.msc
command, and so on. All these methods generate the same set of events in the Windows security event log.net group
During creation of new local security group using the Computer Management console you can specify the following group parameters:
That is all that is available to change for local security groups.
For each local security group creation event it's important to know the following information:
In this section you will find information about how to find answers to all of these questions.
The events shown in Listings 6-1 through 6-7 will appear in the Windows security event log when a new local security group is successfully created.
This event represents a handle request invoked by the
.Subject
To create a new local security group a request to create a new local group (
access type) should be sent to the CreateLocalGroup
instance.Security Account Manager SAM_DOMAIN
The
represents the Security Account Manager system module, which is responsible for managing the Security Account Manager database. This database contains information about local security groups, local user accounts, user account passwords (stored as hashes), user account parameters, the group's parameters, and so on.Object Server:Security Account Manager
represents a Security Account Manager domain in which a new local security group is created. The Object Name field contains the name of the SAM_DOMAIN object. It can be an Active Directory domain name if it is a domain group created on a domain controller, or a machine name for local security groups.Object Type:SAM_DOMAIN
The access types (Accesses field) requested for the
are:Security Account Manager SAM_DOMAIN
%%5398:
CreateLocalGroup
%%5401:
LookupIDs
(See Table 5.1 for the full list of
object access rights.)SAM_DOMAIN
The
access type is required to create a new local group. The list of requested access permissions in this event might be different, but it must contain CreateLocalGroup access type.CreateLocalGroup
The
field contains the hexadecimal mask of requested accesses. More information about Access Mask
access type hexadecimal values is shown in Table 5.1.SAM_DOMAIN
This event also shows a
section, which usually contains Process Information
(Local Security Authority Subsystem Service) as the process that was used to perform a handle request. lsass.exe
is a default process that is authorized to manage Security Account Manager objects. This event is not supposed to tell you which process was initially used to request specific accesses. It shows you the process which invoked Security Account Manager functions (lsass.exe
). It does not show you which process initially requested a new handle using lsass.exe
functions.lsass.exe
There is no information about how a new local security group was created or which tools were used. You can try to track 4688 process creation events, which occur prior to new local group creation events, to find which applications were run before a new local security group was created.
The event in Listing 6-2 informs you about new local security group creation.
There are two types of local groups that you might see in Windows security events:
In this event you also can find who created a new group (
) and some information about the newly created group. For local security groups the Subject
always has the same value as the Group Name
.SAM Account Name
The
attribute is not applicable to nondomain security groups.SID History
This 4731 event contains all important information about successful local group creation:
Subject
Group Name
Listing 6-3 shows a local security group change event. The biggest problem with this event is that it shows changes to only a limited set of attributes:
and SAM Account Name
. Basically, it shows only changes to SID History
attribute, which is a name of the security group, because SID History field is not applicable to local security groups.SAM Account Name
In this event you see that a change was made to the
local security group, but, unfortunately, there is no information in this event about what exactly was changed. This happens when some attribute of the group was changed, for example Description field or group access permissions (DACL), which is not included in the 4735 event schema.NewGroup
Listing 6-4 shows that the handle, which was opened to the
entity for a group creation operation, was closed, because all required actions were completed.SAM_DOMAIN
The
field in this event will have the same value as the Handle ID
field in the initial handle request 4656 event.Handle ID
Listing 6-5 is another handle request, but this time it is for the SAM_ALIAS
object. The Security Account Manager
object type represents the local security group entity.SAM_ALIAS
The
field contains a path to the requested local security group object in the Object Name
database. The last part, Security Account Manager
, represents relative identifier (RID) of the group for which the handle was requested in hexadecimal format. Hexadecimal 000003EA
is decimal 000003EA
.1002
You also can see that the
access type was requested (WriteAccount
field). The Accesses
field contains the hexadecimal mask value for requested accesses. More information about Access Mask
access type hexadecimal values you can find in Table 5.5.SAM_ALIAS
This event means that the
requested Subject
access to the local security group with RID = WriteAccount
WriteAccount access means a Write operation to the Security Account Manager object. It can be interpreted as an object modification request.1002.
Listing 6-6 shows local security group change event without any information about what exactly was changed. This change was initiated using the handle requested in the previous 4656 event.
Listing 6-7 shows that the handle, which was opened to the
object, was closed, because all required actions were completed.SAM_ALIAS DOMAINSAccountAliases 00003EA
When an account doesn't have required permissions to create a local security group, the event in Listing 6-8 is recorded in the Windows security event log.
This event is an
event that informs you that the Audit Failure
failed to get Subject
and/or CreateLocalGroup
access types for the LookupIDs
entity. Event 4656 does not show you which access or accesses from the list of requested access types were not granted.SAM_DOMAIN Security Account Manager
No other events will be recorded for an
local group creation scenario. After the Access Denied
fails to get the required accesses/access to create a new local security group, no other operations are possible.Subject
A useful event to monitor for successful local security group creation is:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4731: A security-enabled local group was created | Security Group Management |
|
A useful event to monitor for unsuccessful local security group creation is:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4656: A handle to an object was requested | SAM |
|
In general, all successful and, especially, unsuccessful local security group creation events should be monitored. Highest priority should be given to monitor any security group creation operation on high-importance/critical hosts, such as critical servers, administrative workstations, and so on.
Creation of a new local security group is not a common action performed after initial system setup. After a new system is provisioned and all required roles, components, features, and software are installed, it's not typical for additional local security groups to be created.
Monitor these events:
Audit Failure
events with the Access Mask
field equal to 0x240
and the Object Type
field equal to SAM_DOMAIN
.
Here is the XPath filter for this monitoring:
*[System[band(Keywords,4503599627370496) and (EventID=4656)]] and
*[EventData[Data[@Name='ObjectType'] and (Data='SAM_DOMAIN')]] and
*[EventData[Data[@Name='AccessMask'] ='0x244']]
A local security group deletion operation is not something you will usually see in Windows security event logs. This operation cannot be performed against built-in local security groups, such as the built-in local Administrators group, and it's not common to see any local security groups deleted, especially after initial system setup.
In this section you will see examples of events that are generated after successful and unsuccessful local security group deletion operations.
The events in Listings 6-9 through 6-12 appear in the Windows security event log when a local security group is successfully deleted.
This is the initial handle request for this security group operation.
A handle with
access must be requested for the specific DELETE
object that represents the group to be deleted. In this example, the local security group SAM object for deletion is SAM_ALIAS Security Account Manager
. The last part of the DOMAINSAccountAliases 00003EA
field value represents the RID of a local security group.Object Name
Event 4734 (Listing 6-10) indicates a successful local security group deletion operation.
This event has answers for the following questions:
Subject
Group
A local security group is an object in the Security Account Manager database. Because an object for specific local security group was deleted, you will see the event in Listing 6-11, which informs you about this.
The only way to get information about which object was deleted is to find the corresponding “4656: A handle to an object was requested” event with
access requested and with the same DELETE
(Handle ID
) field value.0x26fddeb73e0
Listing 6-12 shows that the handle that was opened to the
object for this deletion operation, was closed, because all required actions were completed.SAM_ALIAS DOMAINSAccountAliases 00003EA
When a user doesn't have
permissions for a specific local security group, a handle request will fail and the event shown in Listing 6-13 will be generated in the Windows security event log.DELETE
The
account was not able to get a handle with Andrei
permissions for the DELETE
object.DOMAINSAccountAliases 00003EC SAM_ALIAS
The
4656 event is the only event generated when a user account has no required permissions to delete a specific security group SAM object.Audit Failure
When a local security group is not deleted for another reason—for example, if someone tried to delete a built-in local security group such as the local Guests group—the event shown in Listing 6-14 is generated in the Windows security event log.
The “4656: A handle to an object was requested”
event is the only event generated if a local security group is not successfully deleted and the reason is not insufficient permissions.Audit Success
From the system's perspective, access to the specific local security group was successfully granted, but then it was denied at the application level, which the system does not monitor. You should verify whether a “4734: A security-enabled local group was deleted” event occurs after a handle request event. If yes, the security group was successfully deleted; if no, it was not deleted, but someone tried to do it.
A useful event to monitor for successful local security group deletion is:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4734: A security-enabled local group was deleted | Security Group Management |
|
Useful events to monitor for unsuccessful local security group deletion are:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4656: A handle to an object was requested 4656: A handle to an object was requested |
SAM SAM |
|
Any successful and unsuccessful access denied local security group deletion events should be monitored on all hosts. As is true for local security group creation actions, a local security deletion operation is not a common action performed during a system's lifetime. Even at initial system setup, local security group deletion is not usually performed. It's more likely that a group creation operation will be performed.
Monitor these events:
Audit Failure
events with Access Mask
field equals to “0x10000
” and Object Type
field equals SAM_ALIAS
.
The XPath filter for this monitoring is:
*[System[band(Keywords,4503599627370496) and (EventID=4656)]] and
*[EventData[Data[@Name='ObjectType'] and (Data='SAM_ALIAS')]] and
*[EventData[Data[@Name='AccessMask'] ='0x10000']]
Not many parameters can be changed for local security groups using built-in Windows tools. The available changes are:
In this section you will find information about how to monitor the first two changes from the preceding list.
Any change to the local security group, except changes in group membership, will generate the events shown in Listings 6-16 through 6-18
To make changes to the local security group object, an account must have
permission for this group. The event in Listing 6-15 occurs for any change and shows an access request for a specific WriteAccount
Security Account Manager object.SAM_ALIAS
The local security group change event shown in Listing 6-16 provides the following important information:
Group
Subject
Unfortunately, changes to a security group's description field are not shown in the 4735 event. The only included changed attributes are:
SAM Account Name:
Group's nameSID History:
Not applicable to local security groupsChanges in the
attribute of a local security group will invoke a 4735 event, but this event will not have any information about what exactly was changed.Description
Group membership delete/add operations do not generate a 4735 event.
If the group's name was changed, both the
and Group
sections will show the new group name, but you will not be able to get the group's previous name:Changed Attributes
Group:
Security ID: S-1-5-21-3212943211-794299840-588279583-1004
Group Name: NewGroupName
Group Domain: 2016SRV
Changed Attributes:
SAM Account Name: NewGroupName
SID History: -
If the security group name was changed, then in addition to a 4735 event, the 4781 event shown in Listing 6-17 is generated.
The event in Listing 6-18 has an
field, which shows you group's previous name. After the group name change is done, the handle, which was requested for this operation, is released (Listing 6-18).Old Account Name
By default, only local administrators and the Local System account can change a local group's name. If any nonadministrative account tries to change the settings for any local security group, it will get an access denied message and the event shown in Listing 6-19 will be generated in the Windows security event log.
In an “Access Denied” scenario you will see an
event, with a Audit Failure
access request to a specific Security Account Manager security group object. No other events will be generated.WriteAccount
Useful events to monitor for successful local security group change are:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4735: A security-enabled local group was changed 4781: The name of an account was changed |
Security Group Management User Account Management |
|
A useful event to monitor for unsuccessful local security group change is:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4656: A handle to an object was requested | SAM |
|
Security group name modification is a very uncommon operation. Usually it's not critical to monitor security group name changes, but in some scenarios it might be needed. For example, you should track any changes on critical hosts and any changes to specific high-importance local security groups, such as the built-in local Administrators group. In general, security group changes (except operations with group membership) are not important to monitor.
It is important to monitor changes to local security group membership.
The most privileged built-in local security groups are:
You should also verify all manually created local groups and determine which of them should be considered critical or high privileged. All changes related to critical/high-privileged groups should be monitored.
There are different ways to add/remove users from specific groups, including the Computer Management console (
), PowerShell scripts, and so on. These methods all generate the same set of events in the Windows security event log.compmgmt.msc
In this section you will find information about auditing group member addition and removal operations.
When a new member is added to a local security group, the messages shown in Listings 6-20 through 6-23 occur in the Windows security event log.
As shown in Listing 6-20 the following access rights are requested by default when a new member is added to the security group using the Computer Management console:
%%5424 (AddMember)
%%5425 (RemoveMember)
%%5426 (ListMembers)
%%5427 (ReadInformation)
Whether an account is added or removed from the security group, all four access types will be requested by the Computer Management console. The only access permission that must be requested to add a new member is AddMember. It is up to an application which permissions to request for a specific operation.
Listing 6-21 informs you about the addition of a new member to a local security group.
This event has the following information in it:
Subject
Member
Group
The
field is always empty for local security groups, because it's designed to show the distinguished name for Active Directory groups and users. See more information in Chapter 7.Member: Account Name
For all built-in local security groups, which were listed at the beginning of this chapter, the
field is always Group Domain
. For all manually created local security groups this field has a value equal to the local machine name:Builtin
Group:
Security ID: S-1-5-21-3212943211-794299840-588279583-1004
Group Name: NewGroup
Group Domain: 2016SRV
Event 4658 in Listing 6-22 shows that a handle opened for a previous operation has been closed.
The event in Listing 6-23 generates each time group membership for a local security group is enumerated.
This event happens, for example, when the Computer Manager (
) console application gathers information about group members for a specific security group. It happens when you open any group details, as illustrated in Figure 6-4.compmgmt.msc
If you use other methods to add a member to a local security group, which do not perform group membership enumeration, such as the following PowerShell script:
$group = [ADSI]"WinNT://2016srv/newgroup,group"
$group.Add(„WinNT://2016srv/andrei,user")
then a “4799: A security-enabled local group membership was enumerated” event will not be generated.
Useful information in this event is the
field, which shows the name of the process used to perform the action.Process Name
A group member removal operation, performed using the Computer Management console, has exactly the same events recorded in the Windows security event log as a successful new local group member add operation, except the “4732: A member was added to a security-enabled local group” event is replaced by the event shown in Listing 6-24.
This event has the same fields as the “4732: A member was added to a security-enabled local group” event, and shows you which security principal was removed from the specific local security group.
If a user account doesn't have sufficient permissions to add/remove members from a security group it will get an “Access Denied” message. Both add and remove operations generate the event in Listing 6-25 in the Windows security event log.
Both “add member” and “remove member” events have
, AddMember
, RemoveMember
, and ListMembers
access types in a handle request when operation is performed using the Computer Management console. There is no ability to differentiate which exact operation was requested: remove member or add member. Member add operations require AddMember permission and member remove operations require RemoveMember permissions.ReadInformation
Useful events to monitor for successful local security group members changes are:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4733: A member was removed from a security-enabled local group 4732: A member was added to a security-enabled local group |
Security Group Management Security Group Management |
|
A useful event to monitor for unsuccessful local security group members changes is:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4656: A handle to an object was requested | SAM |
|
It is critically important to perform monitoring of any successful and unsuccessful change to critical and high-privileged built-in and manually created security groups. The following built-in local security groups are considered high privileged:
Also, it's unusual to remove or add members to local security groups too often. Usually it happens when a machine joins the Active Directory domain or during role, feature, or application installation or removal. Any successful and unsuccessful member add and remove operations should be monitored.
Monitor these events:
Audit Failure
events with Access Mask
field equals to “0xF
” and Object Type
field equals SAM_ALIAS
.
The XPath filter for this monitoring is:
*[System[band(Keywords,4503599627370496) and (EventID=4656)]] and
*[EventData[Data[@Name='ObjectType'] and (Data='SAM_ALIAS')]] and
*[EventData[Data[@Name='AccessMask'] ='0xF']]
The last scenario for monitoring using the Windows security event log is group membership enumeration. This event triggers when someone queries a list of members for a specific local security group. For example, it will be triggered when someone opens a local security group's properties, which automatically shows you a list of the current group's members.
The event in Listing 6-26 is generated in the Windows security event log when a local security group membership is enumerated.
A 4799 event contains the following information:
Subject
Group
Process Information
By default, all members of a built-in local Users group can enumerate membership for any local security group.
A useful event to monitor for successful local security group membership enumeration is:
SECURITY EVENT | SUBCATEGORY | EVENT TYPE |
4799: A security-enabled local group membership was enumerated | Security Group Management |
|
A local security group membership enumeration event is mostly informational and could be monitored if needed.
3.144.202.167