Filter out DES logons in Active Directory

With the current situation regarding Microsoft ending support for Windows Server 2003 R2, businesses need to upgrade to a higher version to at least be able to get support. One of the things that have changed in 2008 is that DES encryption has been turned off by default. Which is a good thing but there are certain applications that still use this (Blackberry Enterprise Server for Example).

Since DES is old and was already compromised somewhere in the late 90s you may want to consider not supporting this protocol altogether. But how do you determine applications or servers are still using DES as their encryption method with logons? Server 2003 is unable to log this but fortunately Windows Server 2008 R2 is.

In order to be able to log these events you first need to enable advanced audit logging through GPO on your Domain Controllers. Make sure you at lease have the following options enabled.

Avanced_Audit_Policy

Additionally, to tell the server it needs to use advanced auditing enable the following setting.

force_advanced_audit_policy

Now you need to select the encryption protocols you want to have logged. These will then show up as eventid 4769. In there the ticketencryptiontype tells you which protocol had been used. In our case we’re looking for either 0x1 or 0x3.

Now, we want to take a look at all the events that are logged this way. We can do this manually but Powershell can do it for us and a lot faster. Take a look at the following script.

$filter = @'
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='TicketEncryptiontype'] and (Data='0x1' or Data='0x3')]]</Select>
</Query>
</QueryList>
'@

# Put together filename
$Server = $env:Computername
$Day = (Get-date).Tostring("yyyyMMdd")
$Filename = $day + 'DesEvents' + $Server + '.csv'

$Events = get-winevent -FilterXml $filter

Try {
$servername = $env:Computername

$eventsxml = @()
ForEach ($Event in $Events)
{
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
Add-Member -InputObject $event -MemberType NoteProperty -Name DomainController -Value $ServerName
Add-member -InputObject $event -Membertype Noteproperty -Force `
-Name TimeCreated `
-Value ([datetime]$eventxml.Event.System.TimeCreated.Systemtime).Tolocaltime()

# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
{
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force `
-Name  $eventXML.Event.EventData.Data[$i].name `
-Value $eventXML.Event.EventData.Data[$i].'#text'
}

$Eventsxml += $event

}

$Eventsxml | Select DomainController,TimeCreated,TargetUsername,TicketEncryptionType,ServiceName,IpAddress,IpPort,TargetSid,TargetDomainName,TicketOptions,Status | Export-Csv "d:\Scripts\DESEvents\$Filename" -NoTypeInformation
}
Catch {
Write-host -foregroundcolor Yellow "No Events found"}

What this script does is extract all the events from a Windows server 2008 R2 machine with the events that match the criteria set in filter. In a future post I will dive into the script with more detail, also I’m searching for a way to have better formatting for the powershell code in the above code window.

Hope you like this post and maybe have some use for it in your own environment.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s