I have been trying to get the event viewer logs of application, security and system and store the output into an xml file. While application and system work just fine I have been having problems with security.
The Security event log is secured to machine administrators only.
As you've added your account to the "Event Log Readers" group, you need to add the "BUILTIN\Event Log Readers" group to the following registry key permissions:
HKLM\System\CurrentControlSet\Services\Eventlog\Security
This key only
Query Value, Enumerate Subkeys, Notify, Read Control
On a domain you can do this using group policy to cover all machines:
Group Policy Object Editor: Computer Configuration > Policies > Windows Settings > Security Settings
Related
I've got EC2 instance with IIS and mapped FSx file system on AWS. All in one VPC in one subnet.
IIS config works perfectly as long as it's configured with local drive. When I change config to use path from that mapped FSx I've got an error. Even for just a test static page.
All current users have full access to those files. Do I need to set up any special users for IIS on Domain Controller? Any special permissions? I would appreciate any ideas...
First of all, you need to figure out the substatus code of your IIS server and detailed error message. So please enable IIS detailed error message for your website.
I assume this issue happened just because your identity don't have permission to access configuration file.
1.Please Ensure your IIS site->basic settings->connect as..->set your domain account that have permission to accessyour FSX
2.Please set your application pool identity to your domain account that have access to the FSx.
3.Please grant permission for that application pool account.
4.Please set your authentication user to use application pool identity. For example, if you are using anonymous authentication. Then go to->anonymous authentication->edit..->Application pool identity.
If you don't know how to troubleshooting this issue. Prcoss monitor would help.
You only have to create a filter "RESULT=Access denied & Processname="w3wp.exe".
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
SOLTUION: you can not use the drive letter must be full DNS name for fsx console \DNS_NAME\share
I am having this exact issue. Drive is available on ec2 instance but authorization in IIS fails. Browse directory from IIS workd but can not get authorization to pass test. I have tried admin on EC2 and admin on active directory as users in IIS virtual drive.
It seems that you need to configure the IIS application pool identity to use a domain account that has access to the FSx file system. By default, the application pool identity is a local account that does not have any permissions on the network share.
To change the application pool identity, follow these steps:
Open IIS Manager and select the application pool that hosts your website.
Click on Advanced Settings in the Actions pane.
Under Process Model, click on Identity and then on the ellipsis (...) button.
Select Custom account and enter the domain user name and password that has access to the FSx file system. Click OK to save the changes.
Restart the application pool and the website.
Alternatively, you can use the command line tool appcmd.exe to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
appcmd.exe set config /section:applicationPools /[name='DefaultAppPool'].processModel.identityType:SpecificUser /[name='DefaultAppPool'].processModel.userName:domain\user /[name='DefaultAppPool'].processModel.password:password
You can also use PowerShell to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
Import-Module WebAdministration
Set-ItemProperty IIS:\AppPools\DefaultAppPool -Name processModel -Value #{identityType="SpecificUser";userName="domain\user";password="password"}
For more information, see this article on how to access FSx file shares from IIS.
Password complexity setting is disabled in default domain GPO. I need to enable it on one server, but I don't have the access to edit this GPO on the domain level. When I open local security settings on the server, option to enable (or disable) is grayed out. Is there a way to override default domain GPO for password complexity locally in the registry? And to keep it that way, to stop GPO from being propagated down from domain level to this particular server?
There are two moments in your case. First you can't use a local group policy for domain accounts because AD accounts store on only DCs. Only Domain Controller Polices. And ones apply only to user accounts. Not computer accounts. Second you can use a local group policy for edit settings for only local user accounts. Run the gpedit.msc command on local server for it.
But since Windows 2008 Domain you can separate password policy for different user groups. You can read about it here for example
https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
Good luck.
I developed an Intranet application which needs to realize a "git push" from a local repository (on the disk of the web server) to a remote repository.
I launch the git process from the web server, it runs under the IIS pool identity which is a domain account member of the administrators group of the web server machine.
Git needs the user credentials to perform the push action. I integrated a custom version of git-credential-winstore. This program uses the Windows Credential Manager to store generic credentials for a web site. But when the call to the credential's write occurs, I get the error :
Failed to write credential: A specified logon session does not exist. It may already have been terminated
I checked the policy "Network access: Do not allow storage of passwords and credentials for network authentication", it is disabled.
What goes wrong here ?
Pool account needs to gain access to its user profile.
So we need to connect one time to a Windows Session to create user profile (I think it's necessary). Next in the Advanced Settings of the dedicated Application Pool, set "Load User Profile" = true.
Note about credentials : Windows credential target must be changed to manage different users in the same Windows vault. I change "git:https://remote-host" by "git_USERID:https://remote-host".
I set this property to enabled and it works now, maybe it will work for you also:
As a network auditor I am using WMI to query windows PC and get relevent information.
secpol.msc gives the account and local policies. Is there a way that I can read all the parameters in the policy to check that users have configured them as per company norms.
Thank You
You can use the RSoP WMI Classes to get the Group Policy settings and the Group Policy Settings Reference for Windows and Windows Server which basically is a set of excel files which contains the windows registry keys where is stored such info.
What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008?
The lock event ID is 4800, and the unlock is 4801. You can find them in the Security logs. You probably have to activate their auditing using Local Security Policy (secpol.msc, Local Security Settings in Windows XP) -> Local Policies -> Audit Policy. For Windows 10 see the picture below.
Look in Description of security events in Windows 7 and in Windows Server 2008 R2 under Subcategory: Other Logon/Logoff Events.
You will need to enable logging of these events. Do so by opening the group policy editor:
run -> gpedit.msc
and configuring the following category:
Computer Configuration ->
Windows Settings ->
Security Settings ->
Advanced Audit Policy Configuration ->
System Audit Policies - Local Group Policy Object ->
Logon/Logoff ->
Audit Other Login/Logoff Events
(In the Explain tab it says "... allows you to audit ... Locking and unlocking a workstation".)
For newer versions of Windows (including but not limited to both Windows 10 and Windows Server 2016), the event IDs are:
4800 - The workstation was locked.
4801 - The workstation was unlocked.
Locking and unlocking a workstation also involve the following logon and logoff events:
4624 - An account was successfully logged on.
4634 - An account was logged off.
4648 - A logon was attempted using explicit credentials.
When using a Terminal Services session, locking and unlocking may also involve the following events if the session is disconnected, and event 4778 may replace event 4801:
4779 - A session was disconnected from a Window Station.
4778 - A session was reconnected to a Window Station.
Events 4800 and 4801 are not audited by default, and must be enabled using either Local Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).
The path for the policy using Local Group Policy Editor is:
Local Computer Policy
Computer Configuration
Windows Settings
Security Settings
Advanced Audit Policy Configuration
System Audit Policies - Local Group Policy Object
Logon/Logoff
Audit Other Logon/Logoff Events
The path for the policy using Local Security Policy is the following subset of the path for Local Group Policy Editor:
Security Settings
Advanced Audit Policy Configuration
System Audit Policies - Local Group Policy Object
Logon/Logoff
Audit Other Logon/Logoff Events
The event IDs to look for in pre-Vista Windows are 528, 538, and 680. 528 usually stands for successful unlock of workstation.
The codes for newer Windows versions differ, see below answers for more infos.
Unfortunately there is no such a thing as Lock/Unlock. What you have to do is:
Click on "Filter Current Log..."
Select the XML tab and click on "Edit query manually"
Enter the below query:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[#Name='LogonType']='7']
and
(System[(EventID='4634')] or System[(EventID='4624')])
]</Select>
</Query>
</QueryList>
That's it
To identify unlock screen I believe that you can use ID 4624. But then you also need to look at the Logon Type which in this case is 7: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
Event ID for Logoff is 4634
Security Settings -> Advanced Audit Policy -> System Audit -> Logon/Logoff -> Audit Other Logon/Off Events -> On Success
Enables the following:
4800 - workstation locked
4801 - workstation unlocked
4802 - screensaver invoke
4803 - screensaver dismissed
Windows 10 professional
For Windows 10 the event ID for lock=4800 and unlock=4801.
As it says in the answer provided by Mario and User 00000, you will need to enable logging of lock and unlock events by using their method described above by running gpedit.msc and navigating to the branch they indicated:
Computer Configuration ->
Windows Settings ->
Security Settings ->
Advanced Audit Policy Configuration ->
System Audit Policies - Local Group Policy Object ->
Logon/Logoff ->
Audit Other Login/Logoff
Enable for both success and failure events.
After enabling logging of those events you can filter for Event ID 4800 and 4801 directly.
This method works for Windows 10 as I just used it to filter my security logs after locking and unlocking my computer.
Using Windows 10 Home edition. I was unable to get my event viewer to capture events 4800 and 4801, even after installing the Windows Group Policy Editor, enabling auditing on all the relevant events, and restarting the computer. However, I was able to discover other events that are tied to locking and unlocking that you can use as accurate and reliable indicators of when the PC was locked. See configurations below - the first is for PC Locked (the event connected to displaying C:\Windows\System32\LogonUI.exe) - and the second is for PC Unlocked (the event for successful logon).