Meeting the InCommon Assurance profile criteria using Active Directory

[Ron Thielen <>]

Just so you can have it to try if you like, here is the event 4624 power shell script that we run daily.  We have two domains, ad and ad.local.  Don’t ask why.  I then run a Perl script that goes through these logs and identifies any Silver users in these logs and puts them in a “silver_deny” Grouper group to take away their Silver status.

 

Ron

 

# Script to gather and mail all NTLMv1 events within the past 24 hours

 

Import-Module ActiveDirectory

 

# assign array of all DCs in each domain

$ADDCs = Get-ADDomainController -filter * -Server ad.uchicago.edu

$ADLOCALDCs = Get-ADDomainController -filter * -Server ad.local

 

$Now = Get-Date

$Yesterday = $Now.AddDays(-1)

 

$NewOutputFile = "c:\scripts\Events\$($Yesterday.ToString('yyyyMMdd'))_AD_NTLMv1_events.log"

 

# Function to gather events from a DC and write out log

function GetEvents($DC){

                if($DC.OperatingSystem.contains("2008")){  # Search 2008 DCs only

                                # Find events with specified Event IDs

                                Write-Host "Searching log on " $DC.HostName

                                $Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message "*V1*" -instanceid 4624

                                foreach($Event in $Events){

                                                Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated

                                                Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID),$($Event.MachineName),$($Event.TimeGenerated),$($Event.ReplacementStrings),($Event.message)" -Append  # write event to log

                                }

                }

}

 

# Send each DC to GetEvents function

foreach($DC in $ADDCs){GetEvents($DC)}

foreach($DC in $ADLOCALDCs){GetEvents($DC)}

 

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, May 24, 2013 12:05 PM
To:
Subject: [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624

 

Thanks for that, Jeff.

 

So if you've got WS2008R2 or better DCs, you'll have 4624 events with a clear indication of NTLMv1 when used. If you don't have DCs with that OS, then you have to resort to network captures to make that determination.

 

From: [] On Behalf Of Capehart,Jeffrey D
Sent: Friday, May 24, 2013 9:48 AM
To:
Subject: [AD-Assurance] Detecting NTLM v1 vs. v2 in the event logs - Event 4624

 

From …

Ask the Directory Services Team

(Microsoft's official enterprise support blog for AD DS and more)

 

 

http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx

 

Today the troika of Dave, Jonathan, and Ned are here to help you discover which computers and applications are using NTLM V1 and LM security, regardless of your operating system. It’s safe to say that some people aren’t going to like our answers or how much work this entails, but that’s life; […]  Windows Server 2008 R2 NTLM auditing only shows you NTLM usage in general.

 

Windows Server 2008+security auditing can tell you about the NTLM version through the 4624 event that states a Package Name (NTLM only): NTLM V1 or Package Name (NTLM only): NTLM V2, but all prior operating systems cannot.

 

Comments:

Sam Y.

“If I understand this post correctly the only way to detect if NTLMV1 is in use is to use network captures whereas LM usage can be detected through the netlogon.log. Have I got that right or am I just confused?”

 

MSFT:

“Correct, unfortunately. We could not find any indicator of NTLMv1 in the netlogon log instrumentation. And we tried like the dickens...”

 

Ned, does event 4624 log LM authentication?  When I filter events with "Authentication Package" set to "NTLM", I see that "Package Name (NTLM only)" is either NTLM V1 or NTLM V2.

 

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu