Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Archive > 2017October30 - LEM Deletes > Monitor Windows domain controllers for brute force hacking attempts

Monitor Windows domain controllers for brute force hacking attempts

Monitor your Windows domain controllers using the SolarWinds LEM agent. After you install and configure the agent, the software tracks "brute force" and other types of hacking attempts to your domain controllers and report all events to the LEM manager.

These events include: 

  • Unauthorized access to your administrative accounts
  • Failed logon attempts
  • Account lockouts
  • User and group modification
  • Change management events

Install the SolarWinds LEM agent on all domain controllers to ensure the LEM manager captures all of your domain events (even if they are not replicated across all domain controllers).

You can view the events in the LEM console using the change management filter and create custom filters to report all activity on your domain controllers.

Install and configure the LEM agent

When you install the LEM agent, you have the option to install USB Defender. This application works together with the LEM agent to provide real-time notification when a USB drive is installed in your domain controller server. By default, USB Defender generates events related to USB mass storage devices attached to your LEM Agents.

For additional security, Microsoft implemented a method in their operating system to log security events. As a result, SolarWinds LEM agents on systems running Windows Server 2008, Windows Vista, or Windows 7 require different connectors than the agents running on systems with the legacy Windows operating systems.

If you are running both old and legacy Windows operating systems in your environment, create a connector profile for each operating system.

See Requirements for the LEM agent software and hardware requirements.

Install a LEM Agent on a single Windows domain controller

The LEM agent is installed on your system and begins sending events to your LEM manager and LEM console.

The LEM agent continues running on your system until you uninstall the software or manually stop the LEM agent service.

  1. Download the SolarWinds LEM Agent installer for Windows from the SolarWinds Customer Portal.
  2. Extract the ZIP file contents to a local or network directory.
  3. Run Setup.exe.
  4. Click Next to start the installation wizard.
  5. Accept the End User License Agreement if you agree, and click Next.
  6. Enter the host name of your LEM manager in the Manager Name field, and click Next.

    Do not change the default port values.

  7. Confirm the Manager Communication settings and click Next.
  8. (Optional) Select the Install USB Defender check box to install USB Defender with the LEM agent.
  9. Confirm the settings on the pre-Installation summary, and click Install.
  10. When the installation is completed, click Next to start the LEM agent service.
  11. Inspect the agent log for any errors, and click Next.
  12. Click Done to exit the installer.

Configure additional connectors on your LEM Agent

Use the Refine Results pane if needed.

  1. Open your SolarWinds LEM console and log into your LEM manager as an administrator.
  2. Click the Manage tab, and then click Nodes.
  3. Locate the LEM agent in the list.

    Use the Refine Results pane, if needed.

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Gear(Gray)_15x12.png next to the LEM agent and select connectors.
  5. Locate and select the connector you want to configure.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Gear(Gray)_16x12.png next to the connector, and select New.
  7. Modify the connector (if required), and click Save.
  8. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Gear(Gray)_15x12.png next to the new connector instance (indicated by an icon in the Status column), and select Start.
  9. Click Close to close the Connector Configuration window.
  10. Configure the following additional connectors on your Windows domain controllers that apply to your installation:
  • Windows Directory Service Log
  • Windows DNS Server Log
  • Windows DHCP Server version

Maintain and monitor multiple domain controller agents

Connector Profiles help you maintain and monitor multiple domain controllers in your LEM console. You can use these profiles to configure and modify connector settings at the profile level, as well as provide a group you can use to filter incoming event traffic from your LEM agents to your LEM console.

Create a connector profile based on a single SolarWinds LEM Agent

Follow this procedure to create a connector profile based on a single LEM agent and a corresponding filter to monitor activity on all systems in the profile.

  1. Install the LEM agent software on all systems you want to include in your new connector profile.
  2. Configure a single LEM agent to serve as the template for your connector profile.
  3. In the LEM console, select the Build tab, and click Groups.
  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Plus(Gray)_15x11.png and select Connector Profile.
  5. Enter a profile name and description.
  6. Select the new LEM agent from the Template list, and click Save.
  7. Locate your new connector profile in the Groups list.

    Use the Refine Results pane if needed.

  8. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Gear(Gray)_15x12.png next to your connector profile and select Edit.
  9. In the Available Agents pane, locate the SolarWinds LEM Agents you want to add to your connector profile.
  10. Click the arrow next to each LEM agent you want to add to the Contained Agents pane.
  11. When completed, click Save.

Create a filter for all activity in a Connector Profile

  1. Open the LEM console and log on to the LEM Manager as an administrator or auditor.
  2. Click Monitor.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Plus(Gray)_17x13.png on the Filters pane and select New Filter.
  4. Enter a Name and Description for the filter.
  5. Click Event Groups in the Filter Creation list.
  6. Click Any Alert.
  7. In the Fields: Any Alert list, click and drag DetectionIP into the Conditions box.
  8. Click Connector Profiles in the Filter Creation list.
  9. Click and drag your connector profile into the Conditions box, replacing the Text Constant field denoted by a pencil icon.
  10. Click Save.

Clone and enable the Critical Logon Failures rule

Clone and enable the Critical Account Logon Failures rule to track failed logon attempts to the default Windows Administrator account. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.

  1. Open the LEM console and log on to the LEM manager as an administrator.
  2. Click the Build tab and select Rules.
  3. Enter Critical Account Logon Failures in the Refine Results pane search box.
  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/010/Button-Gear(Gray)_16x13.png next to the rule and select Clone.
  5. Select the folder where you want to save the cloned rule, and click OK.
  6. Select Enable in the Rule Creation window, and click Save.
  7. On the main Rules screen, click Activate Rules.

    The rule is enabled.

Tune Windows Logging for LEM implementation

After you install and configure your LEM agents, optimize your LEM deployment by tuning your Windows operating system to log the specific events you want to see in your LEM Console and store in your LEM database. Set your group and local policies according to your environment requirements.

See the Microsoft TechNet knowledge base for additional information about Windows logging.

Default domain policy

Use the following table to configure logging for your Windows default domain policy.

Policy Success Failure Not Defined

Audit account logon events

Yes

Yes

 

Audit account management

Yes

Yes

 

Audit directory service access

 

 

Not defined

Audit logon events

Yes

Yes

 

Audit object access

 

 

Not defined

Audit policy change

Yes

Yes

 

Audit privilege use

 

 

Not defined

Audit process tracking

Yes

No

 

Audit system events

Yes

Yes

 

Default Domain Controller Policy

Use the following table to configure logging for your Windows default domain controller policy.

Policy Success Failure

Audit account logon events

Yes

Yes

Audit account management

Yes

Yes

Audit directory service access

Yes

Yes

Audit logon events

Yes

Yes

Audit object access1

 

Yes

Audit policy change

Yes

Yes

Audit privilege use

 

Yes

Audit process tracking

Yes

Yes

Audit system events

Yes

Yes

1Audit object access is required for file auditing. For more information, see Enabling Windows File Auditing.

For more information configuring auditing, see Audit Policy and Best Practice.

 

 
Last modified

Tags

Classifications

Public