1. Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com |

2. Logon auditing Advanced Windows Security

3. Auditing (2000+)

4. Granular auditing (2008/Vista+)

5. Logon auditing  Account Logon Event "authentication event" when an account database validates credentials  Logon Event "session event" every time an Access Token is created or closed

6. Auditing (Interactive Logon) SQL FS WFE SQL FS WFE DC Client Account Logon1 Logon2

7. Kerberos Failure Codes http://technet.microsoft.com/en-us/library/bb463166.aspx StatusName 0x0KDC_ERR_NONE 0x1KDC_ERR_NAME_EXP 0x2KDC_ERR_SERVICE_EXP 0x3KDC_ERR_BAD_PVNO 0x4KDC_ERR_C_OLD_MAST_KVNO 0x5KDC_ERR_S_OLD_MAST_KVNO 0x6KDC_ERR_C_PRINCIPAL_UNKNOWN 0x7KDC_ERR_S_PRINCIPAL_UNKNOWN 0x8KDC_ERR_PRINCIPAL_NOT_UNIQUE 0x9KDC_ERR_NULL_KEY 0xAKDC_ERR_CANNOT_POSTDATE

8. Kerberos Failure Codes http://technet.microsoft.com/en-us/library/bb463166.aspx StatusName 0xBKDC_ERR_NEVER_VALID 0xCKDC_ERR_POLICY 0xDKDC_ERR_BADOPTION (delegation not enabled) 0xEKDC_ERR_ETYPE_NOTSUPP (etype not supported) 0xFKDC_ERR_SUMTYPE_NOSUPP 0x10KDC_ERR_PADATA_TYPE_NOSUPP 0x11KDC_ERR_TRTYPE_NO_SUPP 0x12KDC_ERR_CLIENT_REVOKED (disabled) 0x13KDC_ERR_SERVICE_REVOKED … 0x17KDC_ERR_KEY_EXPIRED (password expired, even when using smart cards) 0x18KDC_ERR_PREAUTH_FAILED (bad password or invalid certificate) 0x19KDC_ERR_PREAUTH_REQUIRED 0x25KRB_AP_ERR_SKEW (clock skew)

9. Logon types TypeValue Interactive2 Network3 Batch4 Service5 Unlock7 NetworkCleartext8 NewCredentials9 RemoteInteractive10 CachedInteractive11 CachedRemoteInteractive12 CachedUnlock13

10. Logon sessions gwmi win32_LogonSession | select LogonId, @{ n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } }, AuthenticationPackage, LogonType, StartTime, @{ n = 'Login' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } }, @{ n = 'SID' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } }

11. Auditing (Network session) SQL FS WFE SQL FS WFE DC Client Account Logon1 Logon2

12. Status codes StatusValue STATUS_WRONG_PASSWORD0xC000006A STATUS_PASSWORD_RESTRICTION0xC000006C STATUS_LOGON_FAILURE0xC000006D STATUS_ACCOUNT_RESTRICTION0xC000006E STATUS_INVALID_LOGON_HOURS0xC000006F STATUS_INVALID_WORKSTATION0xC0000070 STATUS_PASSWORD_EXPIRED0xC0000071 STATUS_ACCOUNT_DISABLED0xC0000072 STATUS_LOGON_NOT_GRANTED0xC0000155 STATUS_LOGON_TYPE_NOT_GRANTED0xC000015B STATUS_ACCOUNT_EXPIRED0xC0000193 STATUS_PASSWORD_MUST_CHANGE0xC0000224 STATUS_ACCOUNT_LOCKED_OUT0xC0000234

13. Download err.exe  version 2008 http://www.microsoft.com/en-us/download/details.aspx?id=985  most up-to-date version SDK for Windows 8.1 http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

14. immediately at logoff Auditing (Interactive logoff) SQL FS WFE SQL FS WFE DC Client Logoff1

15. SQL FS WFE SQL FS WFE when TCP connection closed Auditing (Network session logoff) DC Client Logoff1

16. Děkuji za pozornost GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com | www.sevecek.com |