Custom Event view to monitor logins of a user

A couple of days ago a customer asked me if I know a solution for his problem:

They have used the standard domain administrator account (contoso\Administrator) during the last 10 years for the installation and configuration of server software and applications. Now they want to change the password of the domain administrator and they don’t know where the account has been used so that they can change it in the application / service / scheduled task etc.

Using the standard domain administrator account to install and configure software is not a good idea because in a situation like this you can not easily change it. It is a better approach to use a dedicated user for every application (yes, every application) and give this account only the permissions the application requires to run.

If you are in a situation like my customer and you want to find out where the account is used you can create a custom event view and track the logon events of the user. You can create a custom XML filter like the following to track the logon events (event id 4624) for the user Administrator:

<QueryList>
 <Query Id="0" Path="Security">
 <Select Path="Security">
 *[System[(Level=4 or Level=0) and (EventID=4624)]]
 and
 *[EventData[Data[@Name='TargetUserName'] and (Data='Administrator' or Data='CONTOSO\Administrator')]] 
</Select>
 </Query>
</QueryList>

You can extract the IP address or name of the computer where the account has logged on from the data in the event:

New Logon:
Security ID: CONTOSO\Administrator
Account Name: Administrator
Account Domain: CONTOSO
Logon ID: 0xc22879
Logon GUID: {056ed80b-1111-2222-3333-9e58a66aa2c9}

Process Information:
Process ID: 0x344
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: SERVER2
Source Network Address: 192.168.1.2

Source Port: 53183

The paragraph “Network Information” contains the information from which computer or network address the logon has occurred. This way you can at least identify the computers that still use the domain administrator account and check the services, applications or scheduled tasks on this computer. Please note that it is possible that the workstation information or source network address contains no information because the request was initiated from the local computer or it has not used TCP/IP at all.

You can find more information about the data contained in the logon event body on the following site:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

The following sites contain information about custom event filters:

https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

https://blogs.technet.microsoft.com/brad_rutkowski/2006/12/04/how-to-filter-the-eventlog-in-vista-manually-xml/

 

Leave a Reply

Your email address will not be published. Required fields are marked *