STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019: STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:SV-56533r4_rule
V-43712
AD.AU.0001
AD.AU.0001
CAT II
10
Monitor account usage events for administrative accounts. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
Monitor for the events listed below, at minimum.
Account Lockouts (Subcategory: User Account Management)
4740 - A user account is locked out.
User Added to Privileged Group (Subcategory: Security Group Management)
4728 - A member was added to a security-enabled global group.
4732 - A member was added to a security-enabled local group.
4756 - A member was added to a security-enabled universal group.
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.
Account Login with Explicit Credentials (Subcategory: Logon)
4648 - A logon was attempted using explicit credentials.
The "Account Usage" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides additional information.
https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm.
Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding.
Account Lockouts (Subcategory: User Account Management)
4740 - A user account is locked out.
User Added to Privileged Group (Subcategory: Security Group Management)
4728 - A member was added to a security-enabled global group.
4732 - A member was added to a security-enabled local group.
4756 - A member was added to a security-enabled universal group.
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.
Account Login with Explicit Credentials (Subcategory: Logon)
4648 - A logon was attempted using explicit credentials.
V-43712
False
AD.AU.0001
Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding.
Account Lockouts (Subcategory: User Account Management)
4740 - A user account is locked out.
User Added to Privileged Group (Subcategory: Security Group Management)
4728 - A member was added to a security-enabled global group.
4732 - A member was added to a security-enabled local group.
4756 - A member was added to a security-enabled universal group.
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.
Account Login with Explicit Credentials (Subcategory: Logon)
4648 - A logon was attempted using explicit credentials.
M
870