Windows Server 2012 R2 - 幫助查找失敗的登錄嘗試源
我正在為我在我們的 AD 域控制器中遇到的這個問題尋求幫助,由於(前)域使用者已被禁用並隨後刪除的登錄嘗試失敗,正在記錄許多安全事件。我試圖查明這些嘗試的起源,但到目前為止沒有成功。最大的挑戰之一是嘗試的起源似乎來自域控制器本身,並且由 svchost.exe 觸發(這並沒有真正幫助)。在某些時候,該使用者是管理員帳戶,如果這與此事相關的話。
到目前為止我已經嘗試過:
- 查詢計劃任務以查看該使用者名是否正在呼叫任何任務,但沒有找到與使用者名或事件時間相關的任何內容:
schtasks /query /v /fo csv > sched_tasks.csv
- 使用 ProcMon 試圖找到事件與 ProcMon 正在記錄的程序的動作之間的任何共性,但這被證明是費力且徒勞的。
- 在系統資料庫中搜尋該使用者名,但沒有找到任何感興趣的內容。
我不確定我還有哪些其他選擇,可以嘗試找出這些失敗登錄嘗試的根源。看事件本身並沒有給我任何特別的線索,時間對我來說也沒有意義。有時我連續 3 次嘗試,每次相隔 10 或 20 秒,有時會持續 30 分鐘、1 小時、5 小時等,而不會從這個特定的使用者名記錄任何內容。
我將分享該使用者觸發的 4 個最常見的事件,但我會注意到與 Kerberos 身份驗證服務相關的第 4 個事件並不常見。通常我只會得到前 3 個(登錄、憑據驗證、登錄)。這些事件具有相同的記錄時間,但如果事件查看器是正確的,則底部事件(按順序)比其上方的事件更早。
Keywords: Audit Failure Date and Time: 19/07/2017 16:18:39 Event ID: 4768 Task Category: Kerberos Authentication Service A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: deleteduser Supplied Realm Name: CONTOSO User ID: NULL SID Service Information: Service Name: krbtgt/CONTOSO Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xFFFFFFFF Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
_
Keywords: Audit Failure Date and Time: 19/07/2017 16:18:39 Event ID: 4625 Task Category: Logon An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: deleteduser Account Domain: CONTOSO Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: SRV01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
_
Keywords: Audit Failure Date and Time: 19/07/2017 16:18:39 Event ID: 4776 Task Category: Credential Validation The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: deleteduser Source Workstation: SRV01 Error Code: 0xC0000064
_
Keywords: Audit Success Date and Time: 19/07/2017 16:18:39 Event ID: 4648 Task Category: Logon A logon was attempted using explicit credentials. Subject: Security ID: NETWORK SERVICE Account Name: SRV01$ Account Domain: CONTOSO Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: deleteduser Account Domain: CONTOSO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: srv01.CONTOSO.local Additional Information: srv01.CONTOSO.local Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
_
預先感謝您的幫助。
祝你今天過得愉快!
我找到了這些事件的根源,我很驚訝我花了這麼長時間才發現幾天前我已經接近它了。
我開始再次仔細查看日誌並分析每行資訊以尋找線索。在第一個記錄的事件(上面列表中的最後一個)中找到了我之前追求的其中一個線索,即事件 ID 4648:
關鍵詞:審計成功 日期和時間:19/07/2017 16:18:39 事件編號:4648 任務類別:登錄 嘗試使用顯式憑據登錄。 學科: 安全 ID:網路服務 賬戶名稱:SRV01$ 帳戶域:CONTOSO 登錄 ID:0x3E4 登錄 GUID:{00000000-0000-0000-0000-000000000000} 使用其憑據的帳戶: 賬戶名:deleteduser 帳戶域:CONTOSO 登錄 GUID:{00000000-0000-0000-0000-000000000000} 目標伺服器: 目標伺服器名稱:srv01.CONTOSO.local 附加資訊:srv01.CONTOSO.local 處理資訊: **程序 ID:0x2b8** 程序名稱:C:\Windows\System32\svchost.exe 網路資訊: 網路地址: - 港口: - 當程序嘗試通過顯式指定該帳戶的憑據來登錄該帳戶時,將生成此事件。這最常發生在批處理類型的配置中,例如計劃任務,或者使用 RUNAS 命令時。
注意粗體部分“程序ID:0x2b8 ”
這轉換為十進制格式的 696。所以我打開任務管理器並找到使用該 PID 執行的程序,右鍵點擊它並選擇Go to service(s)。與幾天前的情況一樣,它指向DHCPServer服務,該服務與許多其他服務一樣,是從svchost.exe程序執行的。
我打開了 DHCP 管理單元,但這一次我花時間查看了每個選項,最終我找到了罪魁禍首:IPv4/IPv6 - DNS 動態更新註冊憑據(IPv4/IPv6 屬性 > 高級 > 憑據)。迴避的使用者將其憑據保存在那裡。我單獨為該角色創建了一個新使用者,並使用新憑據替換已刪除的使用者,然後重新啟動DHCP 伺服器服務。到現在為止還挺好。