| VID |
28308 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
Account logon event auditing is turned off. Windows 2000 introduced Kerberos as the new authentication mechanism. In addition to those existing in Windows NT logon/logoff events, it is important to audit Kerberos ticket related account logon and logoff events for both success and failure so that unauthorized access attempts can be detected and tracked.
Windows 2000 introduces the capability to log workstation-level user login/logoff into the security log of the domain controller that manages the workstation in question. Previously, in Windows NT, only the local workstation (or server) that the user logged into would receive the login/logout event, except in the case where a workstation mounted a share from a server system!! this would be logged only on the server system. Under Windows 2000, the domain controller interprets the workstations request for domain authentication as a login event.
These events appear in the Event Viewer Security Log.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
http://www.intersectalliance.com/projects/Win2kConfig/Windows2000Config-9.0.html
* Platforms Affected:
Windows Any version |
| Recommendation |
To enable auditing of Account Logon Events, follow the steps below appropriate for your platform.
For a Windows 2000 domain:
1. Start Microsoft Management Console (mmc). From the Windows Start menu, select Run, type mmc, and click OK.
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit account logon events.
6. Check the events on Success and Failure you wish to audit, and then click on "OK".
For a stand-alone Windows 2000 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. (The focus is local computer by default)
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit account logon events.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. (The focus is local computer by default)
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and Audit account logon events.
3. Check the events on Success and Failure you wish to audit, and then click on "OK".
* Note: Be aware that Group Policy settings will override Local Policy Settings. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
3914 (ISS) |
|
