UCF STIG Viewer Logo

Usage of administrative accounts must be monitored for suspicious and anomalous activity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43712 AD.AU.0001 SV-56533r2_rule ECAT-1 Medium
Description
Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-12-18

Details

Check Text ( C-49402r7_chk )
Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding.

Windows Vista and later:
Account Lockouts (Subcategory: User Account Management)
4740 - A user account is locked out.
User Added to Privileged Group (Subcategory: Security Group Management)
4728 - A member was added to a security-enabled global group.
4732 - A member was added to a security-enabled local group.
4756 - A member was added to a security-enabled universal group.
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.
Account Login with Explicit Credentials (Subcategory: Logon)
4648 - A logon was attempted using explicit credentials.

Windows 2003:
Account Lockouts (Account Management Events)
644 - A user account was automatically locked.
Failed Login (Logon Events)
529 - Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Successful Login (Logon Events)
528 - A user successfully logged on to a computer.
User Initiated Logoff (Logon Events)
551 - A user initiated the logoff process.
Account Login with Explicit Credentials (Logon Events)
552 - A user successfully logged on to a computer with explicit credentials while already logged on as a different user.
Successful Network Login (Logon Events)
540 - A user successfully logged on to a network.
User Account Created (Account Management Events)
624 - A user account was created.
Change Password Attempt (Account Management Events)
627 - A user password was changed.
User Added to Privileged Group (Account Management Events)
632 - A member was added to a global group.
636 - A member was added to a local group.
660 - A member was added to a security-enabled universal group.
Fix Text (F-49313r8_fix)
Monitor account usage events for administrative accounts. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below, at minimum.

Windows Vista and later:
Account Lockouts (Subcategory: User Account Management)
4740 - A user account is locked out.
User Added to Privileged Group (Subcategory: Security Group Management)
4728 - A member was added to a security-enabled global group.
4732 - A member was added to a security-enabled local group.
4756 - A member was added to a security-enabled universal group.
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.
Account Login with Explicit Credentials (Subcategory: Logon)
4648 - A logon was attempted using explicit credentials.

Windows 2003:
Account Lockouts (Account Management Events)
644 - A user account was automatically locked.
Failed Login (Logon Events)
529 - Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Successful Login (Logon Events)
528 - A user successfully logged on to a computer.
User Initiated Logoff (Logon Events)
551 - A user initiated the logoff process.
Account Login with Explicit Credentials (Logon Events)
552 - A user successfully logged on to a computer with explicit credentials while already logged on as a different user.
Successful Network Login (Logon Events)
540 - A user successfully logged on to a network.
User Account Created (Account Management Events)
624 - A user account was created.
Change Password Attempt (Account Management Events)
627 - A user password was changed.
User Added to Privileged Group (Account Management Events)
632 - A member was added to a global group.
636 - A member was added to a local group.
660 - A member was added to a security-enabled universal group.

The "Account Usage" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides additional information.
http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf.