Beginning with Office Pro plus 365 V 2002, Bing will become default search engine for Chrome

Beginning with Office 365 Pro Plus v 2002, there will be an extension for Chrome installed that makes Bing the default search engine.  This plugin can be disabled via the extension control panel.

Be sure to turn off this extension if you do not want Bing to become your default search engine.

Advertisements

SCCM Logs and Their Purpose

This is  a list of all SCCM logs and their purposes.  CMTrace is the best solution to reading them in sccm prior to 1910. In Current Branch 1910 and later Onetrace is the tool of choice.

Client Side – SCCM Logs

Log name Description
CAS.log The Content Access service. Maintains the local package cache on the client.
Ccm32BitLauncher.log Records actions for starting applications on the client marked run as 32 bit.
CcmEval.log Records SCCM client status evaluation activities and details for components that are required by the SCCM client.
CcmEvalTask.log Records the SCCM client status evaluation activities that are initiated by the evaluation scheduled task.
CcmExec.log Records activities of the client and the SMS Agent Host service. This log file also includes information about enabling and disabling wake-up proxy.
CcmMessaging.log Records activities related to communication between the client and management points.
CCMNotificationAgent.log Records activities related to client notification operations.
Ccmperf.log Records activities related to the maintenance and capture of data related to client performance counters.
CcmRestart.log Records client service restart activity.
CCMSDKProvider.log Records activities for the client SDK interfaces.
CertificateMaintenance.log Maintains certificates for Active Directory Domain Services and management points.
CIDownloader.log Records details about configuration item definition downloads.
CITaskMgr.log Records tasks that are initiated for each application and deployment type, such as content download and install or uninstall actions.
ClientAuth.log Records signing and authentication activity for the client.
ClientIDManagerStartup.log Creates and maintains the client GUID and identifies tasks performed during client registration and assignment.
ClientLocation.log Records tasks that are related to client site assignment.
CMHttpsReadiness.log Records the results of running the SCCM HTTPS Readiness Assessment Tool. This tool checks whether computers have a public key infrastructure (PKI) client authentication certificate that can be used with SCCM.
CmRcService.log Records information for the remote control service.
ContentTransferManager.log Schedules the Background Intelligent Transfer Service (BITS) or Server Message Block (SMB) to download or access packages.
DataTransferService.log Records all BITS communication for policy or package access.
EndpointProtectionAgent Records information about the installation of the System Center Endpoint Protection client and the application of antimalware policy to that client.
execmgr.log Records details about packages and task sequences that run on the client.
ExpressionSolver.log Records details about enhanced detection methods that are used when verbose or debug logging is turned on.
ExternalEventAgent.log Records the history of Endpoint Protection malware detection and events related to client status.
FileBITS.log Records all SMB package access tasks.
FileSystemFile.log Records the activity of the Windows Management Instrumentation (WMI) provider for software inventory and file collection.
FSPStateMessage.log Records the activity for state messages that are sent to the fallback status point by the client.
InternetProxy.log Records the network proxy configuration and use activity for the client.
InventoryAgent.log Records activities of hardware inventory, software inventory, and heartbeat discovery actions on the client.
LocationCache.log Records the activity for location cache use and maintenance for the client.
LocationServices.log Records the client activity for locating management points, software update points, and distribution points.
MaintenanceCoordinator.log Records the activity for general maintenance tasks for the client.
Mifprovider.log Records the activity of the WMI provider for Management Information Format (MIF) files.
mtrmgr.log Monitors all software metering processes.
PolicyAgent.log Records requests for policies made by using the Data Transfer Service.
PolicyAgentProvider.log Records policy changes.
PolicyEvaluator.log Records details about the evaluation of policies on client computers, including policies from software updates.
PolicyPlatformClient.log Records the process of remediation and compliance for all providers located in \Program Files\Microsoft Policy Platform, except the file provider.
PolicySdk.log Records activities for policy system SDK interfaces.
Pwrmgmt.log Records information about enabling or disabling and configuring the wake-up proxy client settings.
PwrProvider.log Records the activities of the power management provider (PWRInvProvider) hosted in the WMI service. On all supported versions of Windows, the provider enumerates the current settings on computers during hardware inventory and applies power plan settings.
SCClient_<domain>@<username>_1.log Records the activity in Software Center for the specified user on the client computer.
SCClient_<domain>@<username>_2.log Records the historical activity in Software Center for the specified user on the client computer.
Scheduler.log Records activities of scheduled tasks for all client operations.
SCNotify_<domain>@<username>_1.log Records the activity for notifying users about software for the specified user.
SCNotify_<domain>@<username>_1-<date_time>.log Records the historical information for notifying users about software for the specified user.
setuppolicyevaluator.log Records configuration and inventory policy creation in WMI.
SleepAgent_<domain>@SYSTEM_0.log The main log file for wake-up proxy.
smscliui.log Records use of the SCCM client in Control Panel.
SrcUpdateMgr.log Records activity for installed Windows Installer applications that are updated with current distribution point source locations.
StatusAgent.log Records status messages that are created by the client components.
SWMTRReportGen.log Generates a use data report that is collected by the metering agent. This data is logged in Mtrmgr.log.
UserAffinity.log Records details about user device affinity.
VirtualApp.log Records information specific to the evaluation of Application Virtualization (App-V) deployment types.
Wedmtrace.log Records operations related to write filters on Windows Embedded clients.
wakeprxy-install.log Records installation information when clients receive the client setting option to turn on wake-up proxy.
wakeprxy-uninstall.log Records information about uninstalling wake-up proxy when clients receive the client setting option to turn off wake-up proxy, if wake-up proxy was previously turned on.
ccmsetup.log Records ccmsetup.exe tasks for client setup, client upgrade, and client removal. Can be used to troubleshoot client installation problems.
ccmsetup-ccmeval.log Records ccmsetup.exe tasks for client status and remediation.
CcmRepair.log Records the repair activities of the client agent.
client.msi.log Records setup tasks performed by client.msi. Can be used to troubleshoot client installation or removal problems.

Server Side – SCCM Logs

SCCM Logs Description
adctrl.log Records enrollment processing activity.
ADForestDisc.log Records Active Directory Forest Discovery actions.
ADService.log Records account creation and security group details in Active Directory.
adsgdis.log Records Active Directory Group Discovery actions.
adsysdis.log Records Active Directory System Discovery actions.
adusrdis.log Records Active Directory User Discovery actions.
ccm.log Records client push installation activities.
CertMgr.log Records certificate activities for intrasite communication.
chmgr.log Records activities of the client health manager.
Cidm.log Records changes to the client settings by the Client Install Data Manager (CIDM).
colleval.log Records details about when collections are created, changed, and deleted by the Collection Evaluator.
compmon.log Records the status of component threads monitored for the site server.
compsumm.log Records Component Status Summarizer tasks.
ComRegSetup.log Records the initial installation of COM registration results for a site server.
dataldr.log Records information about the processing of MIF files and hardware inventory in the SCCM database.
ddm.log Records activities of the discovery data manager.
despool.log Records incoming site-to-site communication transfers.
distmgr.log Records details about package creation, compression, delta replication, and information updates.
EPCtrlMgr.log Records information about the syncing of malware threat information from the Endpoint Protection site system role server with the SCCM database.
EPMgr.log Records the status of the Endpoint Protection site system role.
EPSetup.log Provides information about the installation of the Endpoint Protection site system role.
EnrollSrv.log Records activities of the enrollment service process.
EnrollWeb.log Records activities of the enrollment website process.
fspmgr.log Records activities of the fallback status point site system role.
hman.log Records information about site configuration changes, and about the publishing of site information in Active Directory Domain Services.
Inboxast.log Records the files that are moved from the management point to the corresponding INBOXES folder on the site server.
inboxmgr.log Records file transfer activities between inbox folders.
inboxmon.log Records the processing of inbox files and performance counter updates.
invproc.log Records the forwarding of MIF files from a secondary site to its parent site.
migmctrl.log Records information for Migration actions that involve migration jobs, shared distribution points, and distribution point upgrades.
mpcontrol.log Records the registration of the management point with Windows Internet Name Service (WINS). Records the availability of the management point every 10 minutes.
mpfdm.log Records the actions of the management point component that moves client files to the corresponding INBOXES folder on the site server.
mpMSI.log Records details about the management point installation.
MPSetup.log Records the management point installation wrapper process.
netdisc.log Records Network Discovery actions.
NotiCtrl.log Application request notifications.
ntsvrdis.log Records the discovery activity of site system servers.
Objreplmgr Records the processing of object change notifications for replication.
offermgr.log Records advertisement updates.
offersum.log Records the summarization of deployment status messages.
OfflineServicingMgr.log Records the activities of applying updates to operating system image files.
outboxmon.log Records the processing of outbox files and performance counter updates.
PerfSetup.log Records the results of the installation of performance counters.
PkgXferMgr.log Records the actions of the SMS_Executive component that is responsible for sending content from a primary site to a remote distribution point.
policypv.log Records updates to the client policies to reflect changes to client settings or deployments.
rcmctrl.log Records the activities of database replication between sites in the hierarchy.
replmgr.log Records the replication of files between the site server components and the Scheduler component.
ResourceExplorer.log Records errors, warnings, and information about running Resource Explorer.
ruleengine.log Records details about automatic deployment rules for the identification, content download, and software update group and deployment creation.
schedule.log Records details about site-to-site job and file replication.
sender.log Records the files that transfer by file-based replication between sites.
sinvproc.log Records information about the processing of software inventory data to the site database.
sitecomp.log Records details about the maintenance of the installed site components on all site system servers in the site.
sitectrl.log Records site setting changes made to site control objects in the database.
sitestat.log Records the availability and disk space monitoring process of all site systems.
SMS_ISVUPDATES_SYNCAGENT.log Log file for synchronization of third-party software updates starting in SCCM version 1806.
SMS_PhasedDeployment.log Log file for phased deployments
SmsAdminUI.log Records SCCM console activity.
SMSAWEBSVCSetup.log Records the installation activities of the Application Catalog web service.
smsbkup.log Records output from the site backup process.
smsdbmon.log Records database changes.
SMSENROLLSRVSetup.log Records the installation activities of the enrollment web service.
SMSENROLLWEBSetup.log Records the installation activities of the enrollment website.
smsexec.log Records the processing of all site server component threads.
SMSFSPSetup.log Records messages generated by the installation of a fallback status point.
SMSPORTALWEBSetup.log Records the installation activities of the Application Catalog website.
SMSProv.log Records WMI provider access to the site database.
srsrpMSI.log Records detailed results of the reporting point installation process from the MSI output.
srsrpsetup.log Records results of the reporting point installation process.
statesys.log Records the processing of state system messages.
statmgr.log Records the writing of all status messages to the database.
swmproc.log Records the processing of metering files and settings.
ConfigMgrPrereq.log Records prerequisite component evaluation and installation activities.
ConfigMgrSetup.log Records detailed output from the site server setup.
ConfigMgrSetupWizard.log Records information related to activity in the Setup Wizard.
SMS_BOOTSTRAP.log Records information about the progress of launching the secondary site installation process. Details of the actual setup process are contained in ConfigMgrSetup.log.
smstsvc.log Records information about the installation, use, and removal of a Windows service that is used to test network connectivity and permissions between servers, using the computer account of the server that initiates the connection.
DWSSMSI.log Records messages generated by the installation of a data warehouse service point.
DWSSSetup.log Records messages generated by the installation of a data warehouse service point.
Microsoft.ConfigMgrDataWarehouse.log Records information about data synchronization between the site database and the data warehouse database.
FspIsapi Records details about communications to the fallback status point from mobile device legacy clients and client computers.
fspMSI.log Records messages generated by the installation of a fallback status point.
fspmgr.log Records activities of the fallback status point site system role.
CcmIsapi.log Records client messaging activity on the endpoint.
MP_CliReg.log Records the client registration activity processed by the management point.
MP_Ddr.log Records the conversion of XML.ddr records from clients, and then copies them to the site server.
MP_Framework.log Records the activities of the core management point and client framework components.
MP_GetAuth.log Records client authorization activity.
MP_GetPolicy.log Records policy request activity from client computers.
MP_Hinv.log Records details about the conversion of XML hardware inventory records from clients and the copy of those files to the site server.
MP_Location.log Records location request and reply activity from clients.
MP_OOBMgr.log Records the management point activities related to receiving an OTP from a client.
MP_Policy.log Records policy communication.
MP_Relay.log Records the transfer of files that are collected from the client.
MP_Retry.log Records hardware inventory retry processes.
MP_Sinv.log Records details about the conversion of XML software inventory records from clients and the copy of those files to the site server.
MP_SinvCollFile.log Records details about file collection.
MP_Status.log Records details about the conversion of XML.svf status message files from clients and the copy of those files to the site server.
mpcontrol.log Records the registration of the management point with WINS. Records the availability of the management point every 10 minutes.
mpfdm.log Records the actions of the management point component that moves client files to the corresponding INBOXES folder on the site server.
mpMSI.log Records details about the management point installation.
MPSetup.log Records the management point installation wrapper process.
objreplmgr.log Records details about the replication of software updates notification files from a parent site to child sites.
PatchDownloader.log Records details about the process of downloading software updates from the update source to the download destination on the site server.
ruleengine.log Records details about automatic deployment rules for the identification, content download, and software update group and deployment creation.
SMS_ISVUPDATES_SYNCAGENT.log Log file for synchronization of third-party software updates starting in SCCM version 1806.
SUPSetup.log Records details about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file.
WCM.log Records details about the software update point configuration and connections to the WSUS server for subscribed update categories, classifications, and languages.
WSUSCtrl.log Records details about the configuration, database connectivity, and health of the WSUS server for the site.
wsyncmgr.log Records details about the software updates sync process.
WUSSyncXML.log Records details about the Inventory Tool for the Microsoft Updates sync process.
AppIntentEval.log Records details about the current and intended state of applications, their applicability, whether requirements were met, deployment types, and dependencies.
AppDiscovery.log Records details about the discovery or detection of applications on client computers.
AppEnforce.log Records details about enforcement actions (install and uninstall) taken for applications on the client.
awebsctl.log Records monitoring activities for the Application Catalog web service point site system role.
awebsvcMSI.log Records detailed installation information for the Application Catalog web service point site system role.
Ccmsdkprovider.log Records the activities of the application management SDK.
colleval.log Records details about when collections are created, changed, and deleted by the Collection Evaluator.
ConfigMgrSoftwareCatalog.log Records the activity of the Application Catalog, which includes its use of Silverlight.
NotiCtrl.log Application request notifications.
portlctl.log Records the monitoring activities for the Application Catalog website point site system role.
portlwebMSI.log Records the MSI installation activity for the Application Catalog website role.
PrestageContent.log Records details about the use of the ExtractContent.exe tool on a remote, prestaged distribution point. This tool extracts content that has been exported to a file.
ServicePortalWebService.log Records the activity of the Application Catalog web service.
ServicePortalWebSite.log Records the activity of the Application Catalog website.
SMSdpmon.log Records details about the distribution point health monitoring scheduled task that is configured on a distribution point.
SoftwareCatalogUpdateEndpoint.log Records activities for managing the URL for the Application Catalog shown in Software Center.
SoftwareCenterSystemTasks.log Records activities related to Software Center prerequisite component validation.
colleval.log Records details about when collections are created, changed, and deleted by the Collection Evaluator.
execmgr.log Records details about packages and task sequences that run.
AssetAdvisor.log Records the activities of Asset Intelligence inventory actions.
aikbmgr.log Records details about the processing of XML files from the inbox for updating the Asset Intelligence catalog.
AIUpdateSvc.log Records the interaction of the Asset Intelligence sync point with System Center Online (SCO), the online web service.
AIUSMSI.log Records details about the installation of the Asset Intelligence sync point site system role.
AIUSSetup.log Records details about the installation of the Asset Intelligence sync point site system role.
ManagedProvider.log Records details about discovering software with an associated software identification tag. Also records activities related to hardware inventory.
MVLSImport.log Records details about the processing of imported licensing files.
ConfigMgrSetup.log Records information about setup and recovery tasks when SCCM recovers a site from backup.
Smsbkup.log Records details about the site backup activity.
smssqlbkup.log Records output from the site database backup process when SQL Server is installed on a server that is not the site server.
Smswriter.log Records information about the state of the SCCM VSS writer that is used by the backup process.
Crp.log Records enrollment activities.
Crpctrl.log Records the operational health of the certificate registration point.
Crpsetup.log Records details about the installation and configuration of the certificate registration point.
Crpmsi.log Records details about the installation and configuration of the certificate registration point.
NDESPlugin.log Records challenge verification and certificate enrollment activities.

Disabling Dropbox from Installing or Running if Installed

Recently I was on a quest to disable the Dropbox program from running on company owned (domain joined) machines. There were lots of hacks to make it work but finally I found a solution, although it was worded relatively cryptically, on Experts Exchange by a McKnife (http://tinyurl.com/gr3f9ar). Long story short you can use Software Restriction Policies (https://technet.microsoft.com/en-us/library/bb457006.aspx) to do this but his solution was more elegant as it blocked Dropbox programs based on the certificate used to sign them as opposed to the file path or things that might change often. This not only blocks the Dropbox program if it’s already installed but also prevents a user from installing it in the first place. Here is my expanded version of his instructions.

First download the Dropbox installer. Right click it and select Properties then go to Digital Signatures. Select the first one (SHA1) and click “Details”. Click “View Certificate” then the Details tab then “Copy to File…”. This lets you export out the certificate. Click Next then “Base-64 encoded X.509 (.CER)” and next again. Save the certificate as something like “Dropbox SHA1 Cert.CER”. Once that one is exported repeat the procedure for the SHA256 certificate.

Once you have both certificates open up Group Policy Management and if you already have a software restrictions policy edit it. If not I suggest you create a new one. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules. Right click and create a “New Certificate Rule”. Browse for the SHA cert and make sure the Security Level is set to Disallow. Give it a description such as “Dropbox SHA Certificate”. When you click OK, if you didn’t have any certificate rules before, it will prompt you to turn them on and display the “Enforcement Properties” page. At the bottom “Enforce certificate rules” then “OK”. Repeat for the SHA256 certificate.

Once GPO updates Dropbox will no longer start and executing the exe or installer directly will give you a nice error message.

Side note: Once this policy is in place you will also not be able to uninstall Dropbox since the same certificate is being used on the uninstall. Keep that in mind…you would have to disable enforcing certificates temporarily to get it uninstalled.

Why the Cloud?

A decision that I have been seeing more and more recently is companies taking their entire infrastructure into the cloud.  Personally, I see this as a recipe for disaster!

Companies set up so that their entire infrastructure is cloud based but they only purchase a single cirquit to the net.  What happens if/when that cirquit fails?  I’ll tell you what!  You have an entire company that is sitting around playing solitaire because all their files are internet based.  The networking team is scrambling around because the network is down but there is not a whole lot that can be done if the link was cut by a backhoe operator who misread the plans about where he was supposed to start digging.  Don’t laugh, it happens.

My solution to this is using a hybrid configuration.  Have 1/3 or so of your processing power and the majority of your file servers on premise.  Use Onedrive or whatever your file storage solution of choice is strictly as a backup.  This way if you are down you can still work from the local storage and then backup to onedrive when the link is restored.

 

Ultimate Audit Policy Guide

This is the ultimate guide to Windows audit and security policy settings.

In this guide, I will share my tips for audit policy settings, password and account policy settings, monitoring events, benchmarks and much more.

Table of contents:

  • What is Windowing Auditing
  • Use The Advanced Audit Policy Configuration
  • Configure Audit Policy for Active Directory
  • Configure Audit Policy for Workstations and Servers
  • Configure Event Log Size and Retention Settings
  • Recommended Password & Account Lockout Policy
  • Recommended Audit Policy Settings
  • Monitor These Events for Compromise
  • Centralize Event Logs
  • Audit Policy Benchmarks
  • Planning Your Audit Policy

 

What is Windows Auditing?
A Windows audit policy defines what type of events you want to keep track of in a Windows environment. For example, when a user account gets locked out or a user enters a bad password these events will generate a log entry when auditing is turned on. An auditing policy is important for maintaining security, detecting security incidents and to meet compliance requirements.

Use the Advanced Audit Policy Configuration
When you look at the audit policies you will notice two sections, the basic audit policy, and the advanced audit policy. When possible you should only use the Advanced Audit Policy settings located under Security Settings\Advanced Audit Policy Configuration.

The advanced audit policy settings were introduced in Windows Server 2008, it expanded the audit policy settings from 9 to 53. The advanced policy settings allow you to define a more granular audit policy and log only the events you need. This is helpful because some auditing settings will generate a massive amount of logs.

Important: Don’t use both the basic audit policy settings and the advanced settings located under Security Settings\Advanced Audit Policy Configuration. Using both can cause issues and is not recommended.

Microsoft provides the following information.

The advanced audit policy has the following categories. Each category contains a set of policies.

  • Account Logon
  • Account Management
  • Detailed Tracking
  • DS Access
  • Logon/Logoff
  • Object Access
  • Policy Change
  • Privilege Use
  • System
  • Global Object Access Auditing

 

Resources:

Threats and Countermeasures Guide: Advanced Security Audit Policy

Configure Audit Policy for Active Directory (For all Domain Controllers)
By default, there is a bare minimum audit policy configured for Active Directory. You will need to modify the default domain controller policy or create a new one.

Follow these steps to enable an audit policy for Active Directory.

Step 1: Open the Group Policy Management Console
Step 2: Edit the Default Domain Controllers Policy
Right click the policy and select edit

Step 3: Browse to the Advanced Audit Policy Configuration
Now browse to the Advanced Audit Policy Configuration

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

Step 4: Define Audit Settings
Now you just need to go through each audit policy category and define the events you want to audit. See the recommended audit policy section for the recommended settings.

Configure Audit Policy on Workstations and Servers
It is highly recommended that you enable an audit policy on all workstations and servers. Most incidents start at the client device, if you are not monitoring these systems you could be missing out on important information.

To configure an audit policy for workstations and servers you will need to create a new audit policy. This will be a separate audit policy from your domain controllers. I would not apply this policy to the root of the domain, it is best to have all your workstations and servers in a separate organization unit and apply the audit policy to this OU.

You can see below I have an organizational unit called ADPRO computers. This organizational unit contains sub OUs for department workstations and a server OU for all the servers. I will create a new audit policy on the ADPRO computers OU, this policy will target all devices in this folder.

Configure Event Log Size and Retention Settings
It is important to define the security event log size and retention settings. If these settings are not defined you may overwrite and lose important audit data.

Important: The logs generated on servers and workstations from the audit policy are intended for short term retention. To keep historical audit logs for weeks, months or years you will need to set up a centralized logging system. See the section below for recommendations.

In your audit policy, you can define the event log settings at Computer Configuration -> Policies -> Security Settings -> Event Log

Here are the recommended settings

Maximum application log size
4,194,240 (kilobytes)
Maximum Security log size
4,194,240 (kilobytes)
Maximum system log size
4,194,240 (kilobytes)
Even with the log settings configured you could still overwrite events in a short period of time. It all depends on your audit policy and how many users you have. If you are tracking bad password attempts for 2000 users that will generate way more events than 20 users.

Resource:

Recommended settings for event log sizes in Windows

Recommended Password and Account Lockout Policy
To successfully audit user accounts you need to ensure you have the password and account lockout policy configured. If you are auditing for account lockouts but don’t have a lockout threshold set you will never see those events.

These settings are from the MS Security baseline Windows 10 and Server 2016 document.

Password Policy
GPO location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Enforce password history
24
Maximum password age
60
Minimum password age
1
Minimum password length
14
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
disabled
Account Lockout Policy
GPO location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

Account lockout duration
15
Account lockout threshold
10
Reset lockout counter after
15
Resource:

Microsoft Security compliance toolkit

Recommended Audit Policy Settings
These settings are from the MS Security baseline Windows 10 and Server 2016 document.

Recommended domain controller security and audit policy settings.

GPO Policy location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

Account Logon
Audit Credential Validation
Success and Failure
Audit Kerberos Authentication Services
Not configured
Audit Kerberos Service Ticket Operations
Not configured
Audit Other Account Logon Events
Not configured
Account Management
Audit Application Group Management
Not configured
Audit Computer Account Management
Success
Audit Distribution Group Management
Not configured
Audit Other Account Management Events
Success and Failure
Audit Security Group Management
Success and Failure
Audit User Account Management
Success and Failure
Detailed Tracking
Audit DPAPI Activity
Not configured
Audit Plug and Play Events
Success
Audit Process Creation
Success
Audit Process Termination
Not Configured
Audit RPC Events
Not Configured
Audit Token Right Adjected
Not Configured
DS Access
Audit Detailed Directory Service Replication
Not configured
Audit Directory Service Access
Success and Failure
Audit Directory Service Changes
Success and Failure
Audit Directory Service Replication
Not Configured
Logon/Logoff
Audit Account Lockout
Success and Failure
Audit User / Device Claims
Not configured
Audit Group Membership
Success
Audit IPsec Extended Mode
Not configured
Audit IPsec Main Mode
Not configured
Audit Logoff
Success
Audit Logon
Success and Failure
Audit Network Policy Server
Not configured
Audit Other Logon/Logoff Events
Not configured
Audit Special Logon
Success
Object Access
Audit Application Generated
Not configured
Audit Certification Services
Not configured
Audit Detailed File Share
Not configured
Audit File Share
Not configured
Audit File System
Not configured
Audit Filtering Platform Connection
Not configured
Audit Filtering Platform Packet Drop
Not configured
Audit Handle Manipulation
Not configured
Audit Kernal Object
Not configured
Audit Other Object Access Events
Not configured
Audit Registry
Not configured
Audit Removable Storage
Success and Failure
Audit SAM
Not configured
Audit Central Access Policy Staging
Not configured
Policy Change
Audit Audit Policy Change
Success and Failure
Audit Authentication Policy Change
Success
Audit Authorization Policy Change
Success
Audit Filtering Platform Policy Change
Not configured
Audit MPSSVC Rule-Level Policy Change
Not Configured
Audit Other Policy Change Events
Not configured
Privilege Use
Audit Non Sensitive Privilege Use
Not configured
Audit Other Privilege Use Events
Not configured
Audit Sensitive Privilege Use
Success and Failure
System
Audit IPsec Driver
Success and Failure
Audit Other System Events
Success and Failure
Audit Security State Change
Success
Audit Security System Extension
Success and Failure
Audit System Integrity
Success and Failure
Global Object Access Auditing
File System
Not configured
Registry
Not configured
I recommend you download the Microsoft Security compliance toolkit. It has an excel document with recommended security and audit settings for windows 10, member servers and domain controllers. In addition, the toolkit has additional documents and files to help you apply security and audit settings.

Centralize Windows Event Logs
When you enable a security and audit policy on all systems those event logs are stored locally on each system. When you need to investigate an incident or run audit reports you will need to go through each log individually on each computer. Another concern is what if a system crashes and you are unable to access the logs?

and… don’t forgot those local logs are intended for short term storage. In large environments, those local logs will be overwritten by new events in a short period of time.

Centralizing your logs will save you time, ensure logs are available and make it easier to report and troubleshoot security incidents. There are many tools out there that can centralize windows event logs.

Below is a list of free and premium tools that will centralize windows event logs. Some of the free tools require a bit of work and may require additional software to visualize and report on the logs. If you have the budget I recommend a premium tool, they are much easier to setup and saves you a ton of time.

SolarWinds Log Analyzer (Premium tool, 30-day FREE trial)
Windows Event Collector (Free, requires additional tools to visualize and report on data)
ManageEngine Audit Plus – (Premium tool)
Splunk – (Premuim tool, a popular tool for analyzing various log files)
Elastic Stack – (Free download)
SolarWinds Event Log Consolidator (Free Download)
Monitor These Events for Compromise
Here is a list of events you should be monitoring and reporting on.

Logon Failures – Event ID 4624, 4771
Successful logons – Event ID 4624
Failures due to bad passwords – Event ID 4625
User Account Locked out – Event ID 4740
User Account Unlocked – Event ID 4767
User changed password – Event ID 4723
User Added to Privileged Group – Event ID 4728, 4732, 4756
Member added to a group – Event ID 4728, 4732, 4756 , 4761, 4746, 4751
Member removed from group – Event ID 4729, 4733, 4757, 4762, 4747, 4752
Security log cleared – Event ID 1102
Computed Deleted – Event ID 4743
Audit Policy Benchmarks
How do you know for sure if your audit policy is getting applied to your systems? How does your audit policy compare to industry best practices? In this section, I’ll show you a few ways you can audit your own systems.

Using auditpol
auditpol is a built-in command that can set and get the audit policy on a system. To view the current audit run this command on your local computer

auditpol /get /category:*

You can check these settings against what is set in your group policy to verify everything is working.

Microsoft Security Toolkit
I mention this toolkit in the recommended settings section but it is worth mentioning again. It contains a spreadsheet with the Microsoft recommended audit and security policy settings. It also includes GPO settings, a script to install and GPO reports. It is a great reference for comparing how your audit policy stacks up against Microsoft’s recommendations.

CIS Benchmarks
CIS benchmarks have configuration guidelines for 140+ systems, including browser, operating systems, and applications.

CIS Benchmarks

CIS CAT Pro
CIS provides a tool that can automatically check your systems settings and how it compares to its benchmarks. This is by far the best method for testing your audit policy against industry benchmarks. The pro version does require a membership, there is a free version with limited features.

CIS-CAT Pro

Planning Your Audit Policy
Here are some tips for an effective audit policy deployment.

Identify your Windows audit goals
Don’t just go and enable all the auditing settings, understand your organization’s overall security goals. Enabling all the auditing rules can generate lots of noise and could make your security efforts more difficult than it should be.

Know your Network Environment
Knowing your network, Active Directory architecture, OU design and security groups are fundamental to a good audit policy. Deploying an audit policy to specific users or assets will be challenging if you do not understand your environment or have a poor logical grouping of your resources.

Group Policy
It is best to deploy your audit policy with group policy. Group policy gives you a centralized location to manage and deploy your audit settings to users and assets within the domain.

How will you obtain event data
You will need to decide how will event data be reviewed.

Will the data be kept on local computers
Will the logs be collected on each system and put into a centralized logging system?
Resources:

Planning and deploying advanced security audit policies

SCCM Maintenance

Daily Maintenance Tasks

  1. Verify that the nightly backup was successful
  2. Check free disk space on all volumes on all site systems (use a PowerShell script for that).
  3. Check the ConfigMgr database size
  4. Check Site Database Status (Monitoring workspace)
  5. Check ConfigMgr inboxes for backlogs (again, PowerShell is useful, or simply tools like WinDirStat)
  6. Review Windows Event logs on site systems
  7. Checking and removing obsolete clients, as well as checking for client errors
  8. Check on Content Distribution Report (script or dbjobmgr)
  9. Check that ADR’s have run successfully (definitions updates run daily)
  10. Backup task sequences and endpoint protection policies (six copies kept)
  11. Cleanup old IIS logs so they don’t build up
  12. Backup custom SCCM Reports
  13. Cleanup any systems still in collections with OSD Task Sequence deployments.
  14. Cleanup old SCCM Users 60 days after they disappear from Active Directory.

Weekly Maintenance Tasks

  1. Review all daily tasks
  2. Review and disk space usage on all site systems, and compare to previous week (to see trends)
  3. Verify that predefined weekly maintenance tasks scheduled are running successfully
  4. Review collection evaluation runtimes
  5. Review software updates compliance reports
  6. Review client health (again to see trends)
  7. Check SQL Maintenance, re-indexing etc.
  8. Verify that networks haven’t changed (boundaries etc.)
  9. Verify that old IIS Log files have been deleted

Monthly Maintenance

To be added, but these are for preparing for upgrades, and to establish long term trends. Usually scheduled meetings with workplace managers and other team members.

  1. Update, test, and deploy OSD reference images. Delete inactive computers accounts.

Quarterly to semi-annual Maintenance Tasks

  1. Review the security plan for any needed changes
  2. Change accounts and passwords if necessary according to your security plan
  3. Review the maintenance schedule for upgrades to the ConfigMgr platform
  4. Review the Configuration Manager hierarchy design for any needed changes
  5. Check network performance to ensure changes have not been made that affect site operations
  6. Review the disaster recovery plan for any needed changes
  7. Perform a site recovery according to the disaster recovery plan in a test lab
  8. Check hardware for any errors or hardware updates available
  9. Check overall health of site

How to reconfigure a machines time configuration to sync from the domain hierarchy?

Normally the PDC FSMO at the forest root domain will synchronize from an external time server. All other domain controllers and domain members should synchronize from the domain hierarchy. To configure this on every machine (except the forest root PDC FSMO):

Open an elevated command prompt
Run commands:
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync /nowait
net stop w32time
net start w32time
If this does not work try again but this time for the resync command add /rediscover.

You can check the time source and state using:

w32tm /query /source
w32tm /monitor

Layer 3 of the OSI Model. Network Layer

Layer 3: Network Layer
The network layer provides the functional and procedural means of transferring variable length data sequences (called packets) from one node to another connected in “different networks”. A network is a medium to which many nodes can be connected, on which every node has an address and which permits nodes connected to it to transfer messages to other nodes connected to it by merely providing the content of a message and the address of the destination node and letting the network find the way to deliver the message to the destination node, possibly routing it through intermediate nodes. If the message is too large to be transmitted from one node to another on the data link layer between those nodes, the network may implement message delivery by splitting the message into several fragments at one node, sending the fragments independently, and reassembling the fragments at another node. It may, but does not need to, report delivery errors.

Message delivery at the network layer is not necessarily guaranteed to be reliable; a network layer protocol may provide reliable message delivery, but it need not do so.

 

Layer 2 of the OSI Model – Data Link Layer

The 2nd layer of the OSI layer is called the Data Link Layer.  This is where the method of networking is determined.  (wired or wireless or token ring etc)
Data Link Layer (Layer 2)

The second-lowest layer (layer 2) in the OSI Reference Model stack is the data link layer, often abbreviated “DLL” (though that abbreviation has other meanings as well in the computer world). The data link layer, also sometimes just called the link layer, is where many wired and wireless local area networking (LAN) technologies primarily function. For example, Ethernet, Token Ring, FDDI and 802.11 (“wireless Ethernet” or “Wi-Fi’) are all sometimes called “data link layer technologies”. The set of devices connected at the data link layer is what is commonly considered a simple “network as opposed to Internetwork

Data Link Layer Sublayers: Logical Link Control (LLC) and Media Access Control (MAC)The data link layer is often conceptually divided into two sublayers: logical link control (LLC) and media access control (MAC). This split is based on the architecture used in the IEEE 802 Project, which is the IEEE working group responsible for creating the standards that define many networking technologies (including all of the ones I mentioned above except FDDI). By separating LLC and MAC functions, interoperability of different network technologies is made easier, as explained in our earlier discussion of networking model concepts.

Data Link Layer Functions

The following are the key tasks performed at the data link layer:

Logical Link Control (LLC): Logical link control refers to the functions required for the establishment and control of logical links between local devices on a network. As mentioned above, this is usually considered a DLL sublayer; it provides services to the network layer above it and hides the rest of the details of the data link layer to allow different technologies to work seamlessly with the higher layers. Most local area networking technologies use the IEEE 802.2 LLC protocol.

Media Access Control (MAC): This refers to the procedures used by devices to control access to the network medium. Since many networks use a shared medium (such as a single network cable, or a series of cables that are electrically connected into a single virtual medium) it is necessary to have rules for managing the medium to avoid conflicts. For example. Ethernet uses the CSMA/CD method of media access control, while Token Ring uses token passing.

Data Framing: The data link layer is responsible for the final encapsulation of higher-level messages into frames that are sent over the network at the physical layer.

Addressing: The data link layer is the lowest layer in the OSI model that is concerned with addressing: labeling information with a particular destination location. Each device on a network has a unique number, usually called a hardware address or MAC address, that is used by the data link layer protocol to ensure that data intended for a specific machine gets to it properly.

Error Detection and Handling: The data link layer handles errors that occur at the lower levels of the network stack. For example, a cyclic redundancy check (CRC) field is often employed to allow the station receiving data to detect if it was received correctly.