Howdy partners, Ned here. This week we talk event logs, auditing, NTLM “fallback”, file server monitoring, and SCOM 2007 management pack dissection. It was a fairly quiet week for questions since everyone is off for vacation at this point, I reckon. That didn’t mean it wasn’t crazy at work – our folks take vacation too, and that leaves fewer of us to handle the cases. Hopefully you weren’t on hold too long…
Oh, and it’s my fifth anniversary as an employee at Microsoft today. So being from the Midwest and not wanting to do the usual Microsoft M&M cliché, I brought 5 pounds of delicious Hickory Farms meat. It disappeared fast, people here are animals. Sausage-loving animals.
Anyhow, on to the goods.
Is there a way to set security logs to be retained for X days automatically? What about having them automatically archive?
Starting in Windows Vista we added Group Policy to handle the archiving piece. See:
Computer configuration \ <policies> \ Administrative templates \ Windows components \ Event Log Service \ Security \
Backup log automatically when full
Retain old events
This also works for Application, Setup, and System logs. The big old chatty ones.
This does not help you on age, but if you are archiving the log every time it fills you get the same effect. Obviously you would need to start backing up all these event logs and deleting them or you would risk running out of disk space. And what about Windows Server 2003, you ask? We have a registry key there that will do the same thing – see the AutoBackupLogFiles value buried in KB312571.
Rather than going this route though, I instead suggest deploying some kind of security event collection tool, like System Center 2007’s free ACS component or a third party. It will scale much better and be less of a hassle to maintain. Then you are always intercepting and collecting your security events. Hopefully you have a plan to do something with them!
<A conversation about why you should not skew clocks as that makes Kerberos break, as everyone knows. But then:>
However the vast majority of app servers should “just work” with NTLM fallback when Kerberos doesn’t work, correct?
Not necessarily! When MS started implementing Kerberos eleven years ago, NTLM was being replaced as the preferred security protocol. However, we knew that a million apps and down-level or 3rd party clients would not be able to handle Kerberos through negotiation. In order to make the experience less painful, we decided that when using the Windows Negotiate security package, we’d allow applications to first try Kerberos and if that failed, then try NTLM. Pretty much any failure was ok, such as the target server not supporting Kerberos or Kerberos being possible but malfunctioning due to environmental problems. If you simply asked for Kerberos only or NTLM only, there was no fallback because you were being specific. Some languages also provide for blocking fallback post negotiation, such as WCF’s ALLOWNTLM=FALSE flag. So NTLM fallback was never guaranteed or even tried in many scenarios. There are a lot of misunderstandings and mythology about this out there, but this is how it works – when it comes to your specific app, just test it under a network capture to see how it behaves.
Then starting Windows Vista SP1 and Windows Server 2008 we made a significant change – from then on, interactive logon stopped allowing NTLM fallback if Kerberos had errors. So for example, if someone duplicated a DC’s SPN, the user cannot logon (with error “The security database on the server does not have a computer account for this workstation trust relationship”) and examining their event log would show KDC 11 error and you’d see 4625 events on the DC security log. So if Kerberos was supposed to work and didn’t, too bad – no more fallback. Obviously that is also in place in Windows 7 and Win2008 R2, and for the foreseeable future.
Furthermore, in Windows 7 and Windows Server 2008 R2 we added a new extension to the negotiate security package to start making fallback less likely everywhere, not just in interactive logon. That is called negoexts and does stuff like federation support – from the beginning it has no concept of fallback at all.
So why change all this? Because it’s more secure. Better to prevent auth rather than allow someone to somehow damage Kerberos then use that opportunity to go through a weaker protocol.
I would like to start examining the File Services management pack and other MP for System Center Operations Manager 2007. I don’t always find complete documentation on what these packs do (or I find this). I’d also rather not download and configure 1.25GB of SCOM trial edition just yet either.
What to do?
Here’s the trick:
1. Install the System Center Operations Manager 2007 R2 Authoring Resource Kit (free download, very small)
2. Install the management packs you are interested in (such as File Services MP).
3. Start the Authoring Console and load your management pack. Generally, the “Library” MP will contain the majority of info – that’s why it’s bigger than the other files. For our File Services example:
4. Now in the Health Model area you will see all the monitoring… goo. In this case, DFSR monitoring stuff:
5. Now start drilling down below the Aggregate Monitors. There’s a lot to see here.
6. At a glance, you can see some interesting info about each monitor:
7. If you click Edit Monitor, then the Product Knowledge tab, you can see how the monitor works, what the known causes are of the issue, what the resolutions are, and more info to take in. This is the part that makes you smart.
This works anywhere; you don’t even need to install a server – I am doing this all on my Win7 client.
And what this really highlights is just how important using these monitors are. The resolution sections are written by the Product Group to tell you the appropriate way to fix things and in many cases are also vetted and expanded on by MS Support. I spent a hellish few weeks going through the File Services one for example: 200 pages of spec, arrrrghhhh! Rather than relying on some uninformed stranger on the Internet you can instead get the official answer to each problem that SCOM finds, and it can even react on your behalf. It’s slick stuff.
I learned an important lesson today. When you are in a team meeting and you describe some broken process as “a real goat rodeo”, your colleagues will use the opportunity to remind you how short you are using terrible artwork:
And if you complain that the picture isn’t “bling” enough, they will improve it Kanye West style:
Have a great weekend folks.
– Ned “Yeeeeeee-hhhhhhaaaaaahhhh!”Pyle