Configuration of DC Security Logs and Troubleshooting

03/26/2020 68 14597

DESCRIPTION:

Configuration of DC Security Logs and Troubleshooting

CAUSE:

Windows Server uses the DC Security Log to record logon/logoff events and/or other security-related events specified by the system's audit policy. If the audit policy is set to record logins, a successful domain login records the user's user name and computer name in the Security Log. On Windows Server 2003 and above, the computer’s IP address is also logged.

RESOLUTION:

To configure the DC Security Log method in Directory Services Connector, perform the following steps:

Step 1: In the Directory Connector Configuration Tool, right-click SonicWall SSO Agent in the left pane.

Step 2: Select Properties.

Step 3: In the right pane in the Query Source field, select one of the following options:

• • DC Security Log
  • DC Security Log + NETAPI
  • DC Security Log + WMI
  • DC Security Log + WMI + NETAPI

Step 4: Select the desired number of seconds for the Event Polling Time fields

The Event Polling Time option is visible only if one of the DC Security Log options is selected in the Query Source field. The SSO Agent fetches event logs from the Domain Controller on a regular time interval to discover updated user information. The Event Polling Time option provides a way to specify this interval. The minimum is 5 seconds, and the maximum is 300 seconds, with a default of 10 seconds.

Step 5: To save information about previously identified users when the SSO Agent service is restarted, select the preserve users during service restart checkbox.

Upon restarting the SSO Agent service, the user information is restored. Because the SSO Agent must be restarted for properties changes to take effect, this allows the agent to maintain current user information across these restarts. To avoid restoring outdated information, if the backup is older than 15 minutes, the information is not restored.

If this option is unchecked when using DC Security Log, the user information is not saved during a service restart. When the next user information request comes in for a previously logged in user, the DC logs are checked, but there is no new logon event and so the user is not identified. If Query Source is set to DC Security Log only, the SSO Agent will send no user information to the appliance. If Query Source is set to DC Security Log with NETAPI or WMI, the agent will do a NETAPI or WMI query to the user PC to identify the user.

Step 6: Next, configure the Domain Controller information in the Directory Connector Configurator, including the IP address of the DC, the administrator account, and the password.

Step 7: Configuring the Domain Controller Information. Only machines configured with a Domain Controller role can be set as the domain controller in the Directory Connector Configurator. In the Directory Connector Configuration Tool, right-click Domain Controller in the left pane.

Step 8: Select Add.

Step 9: In the right pane on the Edit tab, type the DC IP address into the IP Address field.

Step 10: In the Administrator User field, enter the domain and admin user name separated by a backslash, such as “snwladministrator”.

Step 11: In the Administrator Password field, type in the password for the admin user.

Step 12: In the Initial Fetch Time field, select the time of day for the SSO Agent to begin service startup and fetch event logs from the Domain Controller for the first time. All event logs are fetched before the SSO Agent service is started.

Step 13: To test the connection to the Domain Controller using the IP address and user credentials, click Test Connection. If the IP address does not belong to a machine with a role of Domain Controller, the Configurator will not accept the configuration and an error message is displayed.

Step 14: If the IP address belongs to a machine with a role of Domain Controller, no error is displayed. Click OK.

Step 15: Repeat this procedure to add another Domain Controller.

Setting Group Policy to Enable Logon Audit on Windows Server 2008

Logon audit may need to be enabled on the Windows Server machine. To enable logon audit on Windows Server 2008, perform the following steps:

1. Start the Group Policy Management Console.
2. Browse to the following location: Domain Name > Domains > Domain Name > Group Policy Objects, where "Domain Name" is replaced with your domain.
3. Under Group Policy Objects, right-click on Default Domain Policy and select Edit.

The Group Policy Management Editor window is displayed.

4. Double-click on Audit account logon events and select Success. Click OK.
5. Double-click on Audit logon events and select Success. Click OK.
6. Double-click on Audit Directory Service Access and select Success. Click OK.
7. Double-click on Audit Object Access and select Success. Click OK.
8. Close the Group Policy window.

Setting Group Policy to Enable Logon Audit on Windows Server 2003

By default, logon audit is disabled on Windows Server 2003. To enable logon audit on Windows Server 2003, perform the following steps:

1. Start the Group Policy Management Console.
2. Browse to the following location: Domain Name > Domains > Domain Name > Group Policy Objects, where "Domain Name" is replaced with your domain.
3. Right-click on Group Policy Objects and select New.

4. Give your policy a name and click OK.
5. Expand the Group Policy Objects folder and find your new policy. Right-click on the policy and select Edit...
6. Browse to the following location: Policy Name > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
7. Left click on Audit Policy. The policy settings are displayed in the right pane.

8. Double-click on Audit account logon events and select Success. Click OK.
9. Double-click on Audit logon events and select Success. Click OK.
10. Double-click on Audit Directory Service Access and select Success. Click OK.
11. Close the Group Policy window.

How to Test:

This should list all logged users currently on your domain

If the above does not return any results Kindly confirm the Server settings and Event Viewer Security logs if the user is logged on as SonicWall only displays/uses for authentication what information it gets from the Domain Controller.

If you are using Advanced Auditing please use the following article for GPO configuration:

DC Security Logs with Advanced Auditing