Who Disabled A Smartcard For Logon?


 

Does your environment utilize Smartcard/CAC for logging in the network? Do they know who is disabling the smartcards and if they are doing it for other people? This monitor will alert on the security events and reports when someone disables smartcard(s) logon. It will report who did it, and whos account was it applied to. The monitor will auto close once the smartcard logon is re-enabled allowing you to track when and how often this is happening.

 

Requirements for making this happen:

A GPO setting needs to be capturing success and failure.  Advance Audit Policy Configuration > Account Management > Audit User Account Management

image

Make sure that “Success” and “Failure” are checked; both are needed for this type of monitoring.

image

 


Informational: User Account Management

This policy setting allows you to audit changes to user accounts. Events include the following:
    A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked.
    A user account’s password is set or changed.
    A security identifier (SID) is added to the SID History of a user account.
    The Directory Services Restore Mode password is configured.
    Permissions on administrative user accounts are changed.
    Credential Manager credentials are backed up or restored.

If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes.

Volume: Low.

Default: Success.


Next I have a test account with the “Smart card is required for interactive logon” checked in “Active Directory Computer and Users”.

image

 

Building the monitor, a “Windows Event” > “Simple Event Detection” > “Windows Event Reset”

image

Target “Windows Computer”, ensured that the monitor is disabled. Name the alert what ever you like.

For me I like everything to be uniformed; I use: “A System – Has Detected A Smartcard Disabled”.

image

Targeting the “Security” Event Log for the “Unhealthy Event”

image

Alerting off an Event ID 4738 “A user account was changed” and the 24th Parameter of the alert description. “User Account Control: %%2060” = unchecked/disabled

More Information: How to use the UserAccountControl flags to manipulate user account properties: https://support.microsoft.com/en-us/kb/305144

image

The “Healthy Event” will also be targeting the “Security” Event Log.

image

Alerting off an Event ID 4738 again “A user account was changed” and the 24th Parameter of the alert description. “User Account Control: %%2092” = checked/enabled

image

The Alerting, I’ve added some information about the alert in the “Alert description” and I am also pulling the who event description as well.

image

Next, turn it on to start capturing the events by overriding the monitor and target “Windows Domain Controller”.

image

Enable the monitor like this and apply it.

image

Optional: Next, an alert view might be in order. Here is a screenshot of how I configured the one I am using.

image

Now that the view has been created, hopefully enough time has gone by for all the domain controllers to have picked up this monitor. If not allow time before you test.

Let’s test it; open “Active Directory Users and Computers” find a test subject. Uncheck the “Smart card is required for interactive logon” and click apply.

image

Warning: Do not apply to your account if you are testing. When you uncheck the account, your password may need to be reset or you will not be able to log back on.

 

There should be a new alert in the view that was created or in the “Active Alert” view.

Informational: The “Alert Description” tells you who made the change and who’s account was it applied to. Depending on the customer, you could send notifications on this since it could be a security risk.

image

To close the event, re-check the “Smart card is required for interactive logon” and applied, you should see an alert now closed in the console.

image

 

image

 

Simple as that.


Comments (1)

Skip to main content