L0320 Windows Audit Policies and WinRM
Windows event handling is complicated. This lab will guide a student through the basics of event collection, forwarding, and shipping. The lab also introduces students to event subscriptions and the deployment of 19 pre-packed, XML filter driven baseline subscriptions. Those subscriptions form a strong foundation of event collection to aid in threat hunting, forensics, and compliance objectives.
- Complete part 2 of 4 of the optics infrastructure configurations.
- Implement Windows Audit Policies
Import and deploy a group policy designed to implement some basic Windows Audit Policy configuration. These are pre-configured settings that enable fine-grain endpoint monitoring on Windows endpoints.
Import and Link Group Policy Objects
Login to Domain Controller
Connect via Remote Desktop to the Domain Controller, DC01.
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Group Policy Object Creation, Import, and Linking
We will import three previously built Group Policies, and link the Imported Policies into the Domain.
- CMD-PS-Logging: Enable Transcription, Especially PS Logging
- Enhanced-WS-Auditing: Workstation Auditing Policy
- Enhanced-DC-Auditing: Domain Controller Auditing Policy
- Enable-WinRM-And-RDP: Enabling and Configuring WinRM and RDP.
- Because all systems in the forwarding and collection chain require WinRM, this feature needs enabled across the domain. The feature also needs allowed through system firewalls.
Import-GPO: Import Group Policy Objects
For more information on the Import-GPO method, see Import-GPO.
Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GPOs\CMD-PS-Logging\" -BackupGpoName "CMD-PS-Logging" -CreateIfNeeded -TargetName "CMD-PS-Logging" -Server DC01
Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GPOs\Enhanced-WS-Auditing\" -BackupGpoName "Enhanced WS Auditing" -CreateIfNeeded -TargetName "Enhanced-WS-Auditing" -Server DC01
Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GPOs\Enhanced-DC-Auditing\" -BackupGpoName "Enhanced DC Auditing" -CreateIfNeeded -TargetName "Enhanced-DC-Auditing" -Server DC01
Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GPOs\Enable-WinRM-and-RDP\" -BackupGpoName "Enable-WinRM-and-RDP" -CreateIfNeeded -TargetName "Enable-WinRM-and-RDP" -Server DC01
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GP
Os\CMD-PS-Logging\" -BackupGpoName "CMD-PS-Logging" -CreateIfNeeded -TargetName "CMD-PS-Logging" -Server DC01
DisplayName : CMD-PS-Logging
DomainName : labs.local
Owner : LABS\Domain Admins
Id : 9e16eb44-5d2c-431c-bb4c-48194c0bf613
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 9/21/2020 8:58:00 PM
ModificationTime : 9/21/2020 8:58:00 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GP
Os\Enhanced-WS-Auditing\" -BackupGpoName "Enhanced WS Auditing" -CreateIfNeeded -TargetName "Enhanced-WS-Auditing" -Serv
er DC01
DisplayName : Enhanced-WS-Auditing
DomainName : labs.local
Owner : LABS\Domain Admins
Id : 589e4744-0976-4a74-87f7-bebe31fde2df
GpoStatus : UserSettingsDisabled
Description :
CreationTime : 9/21/2020 8:58:03 PM
ModificationTime : 9/21/2020 8:58:03 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GP
Os\Enhanced-DC-Auditing\" -BackupGpoName "Enhanced DC Auditing" -CreateIfNeeded -TargetName "Enhanced-DC-Auditing" -Serv
er DC01
DisplayName : Enhanced-DC-Auditing
DomainName : labs.local
Owner : LABS\Domain Admins
Id : 437250f5-7ecf-4c4c-8d87-550aa45a7693
GpoStatus : UserSettingsDisabled
Description :
CreationTime : 9/21/2020 8:58:03 PM
ModificationTime : 9/21/2020 8:58:04 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> Import-GPO -Path "\\dc01\LABS\LabPack\LABPACK-master\Lab-GP
Os\Enable-WinRM-and-RDP\" -BackupGpoName "Enable-WinRM-and-RDP" -CreateIfNeeded -TargetName "Enable-WinRM-and-RDP" -Serv
er DC01
DisplayName : Enable-WinRM-and-RDP
DomainName : labs.local
Owner : LABS\Domain Admins
Id : c4046fa0-80f0-4613-a98b-c3519fdb7afa
GpoStatus : UserSettingsDisabled
Description :
CreationTime : 9/21/2020 8:58:04 PM
ModificationTime : 9/21/2020 8:58:04 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
New-GPLink: Link Group Policies
For more information on the Import-GPO method, see New-GPLink.
New-GPLink -Name "CMD-PS-Logging" -Target "dc=labs,dc=local" -LinkEnabled Yes
New-GPLink -Name "Enhanced-WS-Auditing" -Target "dc=labs,dc=local" -LinkEnabled Yes
New-GPLink -Name "Enhanced-DC-Auditing" -Target "ou=Domain Controllers,dc=labs,dc=local" -LinkEnabled Yes
New-GPLink -Name "Enable-WinRM-and-RDP” -Target "dc=labs,dc=local" -LinkEnabled Yes
GpoId : 9e16eb44-5d2c-431c-bb4c-48194c0bf613
DisplayName : CMD-PS-Logging
Enabled : True
Enforced : False
Target : DC=labs,DC=local
Order : 2
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> New-GPLink -Name "Enhanced-WS-Auditing" -Target "dc=labs,dc=local" -LinkEnabled Yes
GpoId : 589e4744-0976-4a74-87f7-bebe31fde2df
DisplayName : Enhanced-WS-Auditing
Enabled : True
Enforced : False
Target : DC=labs,DC=local
Order : 3
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> New-GPLink -Name "Enhanced-DC-Auditing" -Target "ou=Domain Controllers,dc=labs,dc=local" -LinkEnabled Yes
GpoId : 437250f5-7ecf-4c4c-8d87-550aa45a7693
DisplayName : Enhanced-DC-Auditing
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=labs,DC=local
Order : 2
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> New-GPLink -Name "Enable-WinRM-and-RDP” -Target "dc=labs,dc=local" -LinkEnabled Yes
GpoId : c4046fa0-80f0-4613-a98b-c3519fdb7afa
DisplayName : Enable-WinRM-and-RDP
Enabled : True
Enforced : False
Target : DC=labs,DC=local
Order : 4
Review Group Policy Contents
Now that the GPOs have been imported and linked, create a report of the contents of the GPO's to see what has been configured.
PowerShell
While still working in PowerShell on the Domain Controller, run the following commands to build reports of the imported and linked Group Policy Objects.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Get-GPOReport -Name "CMD-PS-Logging" -ReportType HTML -Path "c:\Labs\GPOReport-CMD-PS-Logging.html"
Get-GPOReport -Name "Enable-WinRM-And-RDP" -ReportType HTML -Path "c:\Labs\GPOReport-Enable-WinRM-And-RDP.html"
Get-GPOReport -Name "Enhanced-WS-Auditing" -ReportType HTML -Path "c:\Labs\GPOReport-Enhanced-WS-Auditing.html"
Get-GPOReport -Name "Enhanced-DC-Auditing" -ReportType HTML -Path "c:\Labs\GPOReport-Enhanced-DC-Auditing.html"
These commands will not return a response unless a failure occurs.
To launch the reports in Internet Explorer, run the following commands in PowerShell.
& 'C:\Labs\GPOReport-CMD-PS-Logging.html'
& 'C:\Labs\GPOReport-Enhanced-DC-Auditing.html'
& 'C:\Labs\GPOReport-Enhanced-WS-Auditing.html'
& 'C:\Labs\GPOReport-Enable-WinRM-And-RDP.html'
After reviewing the contents of the Group Policy Objects, you have completed this lab.
You have completed this lab.
created with the free version of
Markdown Monster