Contents 1 Introduction .......................................................................................................................................... 1 2 Deployment........................................................................................................................................... 1 2.1 Ensuring Integrity of Event Logs ................................................................................................................... 2 2.2 Environment Requirements ......................................................................................................................... 3 2.3 Log Aggregation on Windows Server 2008 R2 ............................................................................................. 4 2.4 Configuring Source Computer Policies ......................................................................................................... 9 2.5 Disabling Windows Remote Shell ............................................................................................................... 15 2.6 Firewall Modification ................................................................................................................................. 15 2.7 Restricting WinRM Access .......................................................................................................................... 18 2.8 Disabling WinRM and Windows Collector Service ..................................................................................... 19 3 Hardening Event Collection................................................................................................................. 20 3.1 WinRM Authentication Hardening Methods ............................................................................................. 20 3.2 Secure Sockets Layer and WinRM .............................................................................................................. 24 4 Recommended Events to Collect ........................................................................................................ 24 4.1 Application Whitelisting ............................................................................................................................. 25 4.2 Application Crashes .................................................................................................................................... 25 4.3 System or Service Failures .......................................................................................................................... 25 4.4 Windows Update Errors ............................................................................................................................. 26 4.5 Windows Firewall ....................................................................................................................................... 26 4.6 Clearing Event Logs .................................................................................................................................... 26 4.7 Software and Service Installation ............................................................................................................... 27 4.8 Account Usage ........................................................................................................................................... 27 4.9 Kernel Driver Signing .................................................................................................................................. 28 4.10 Group Policy Errors .................................................................................................................................... 29 4.11 Windows Defender Activities ..................................................................................................................... 29 4.12 Mobile Device Activities ............................................................................................................................. 30 4.13 External Media Detection .......................................................................................................................... 31 4.14 Printing Services ......................................................................................................................................... 32 4.15 Pass the Hash Detection............................................................................................................................. 32 4.16 Remote Desktop Logon Detection ............................................................................................................. 33 5 Event Log Retention ............................................................................................................................ 34 6 Final Recommendations...................................................................................................................... 35 7 Appendix ............................................................................................................................................. 35 7.1 Subscriptions .............................................................................................................................................. 35 7.2 Event ID Definitions .................................................................................................................................... 37 7.3 Windows Remote Management Versions.................................................................................................. 38 7.4 WinRM 2.0 Configuration Settings ............................................................................................................. 40 7.5 WinRM Registry Keys and Values ............................................................................................................... 43 7.6 Troubleshooting ......................................................................................................................................... 44 8 Works Cited ......................................................................................................................................... 48 i List of Figures Figure 1: Creating a Subscription .................................................................................................................. 6 Figure 2: Configuring Subscription Properties .............................................................................................. 6 Figure 3: Event Delivery Optimization Configuration ................................................................................... 7 Figure 4: Completed Subscription ................................................................................................................. 7 Figure 5: Event Source GPO ........................................................................................................................ 10 Figure 6: Enabling Windows Remote Management ................................................................................... 11 Figure 7: Setting Service Startup Type ........................................................................................................ 11 Figure 8: Enabling WinRM listeners ............................................................................................................ 11 Figure 9: WinRM listener's IP Filter Options ............................................................................................... 11 Figure 10: Enable SubscriptionManager ..................................................................................................... 12 Figure 11: Configuration of SubscriptionManager ..................................................................................... 13 Figure 12: GPO Inbound Firewall Rules....................................................................................................... 17 Figure 13: Open Ports for WinRM ............................................................................................................... 17 Figure 14: Allow Any Connection to Port .................................................................................................... 17 Figure 15: Verify Firewalls are Enabled ....................................................................................................... 17 Figure 16: Predefined Rule for WinRM 2.0 ................................................................................................. 18 Figure 17: Adding Selective IP addresses .................................................................................................... 18 Figure 18: Add IP of Event Collector ........................................................................................................... 18 Figure 19: The Event Collector Firewall allowing Local subnet to Connect ................................................ 19 Figure 20: Event Viewer Subscription Creation Error ................................................................................. 19 Figure 21: WinRM Service Authentication Policies ..................................................................................... 21 Figure 22: WinRM Client Authentication Policies ....................................................................................... 21 List of Tables Table 1: Vista and above Events ................................................................................................................... 8 Table 2: Whilelisting Events .......................................................................................................................