Audit Active Directory tools with Powershell releases. Part 2


predidushei article I have published my first post on Habre. Continuing the theme started to write the second part.

In the comments to part one, I casually mentioned that it has extended the functionality of the scripts for monitoring the server connections. In particular added the notification to the instant messaging service XMPP (Jabber) and log in a separate text file.


Instant notification.


What is good about instant alerts, it's the fact that there is no need to constantly check my email for new messages — messages come themselves and make themselves known immediately (depending on client settings, of course).
Personally I made that messages were opened on top of other Windows. Of course, that's not spammed yourself, these alerts are sent to critical events.
Critical I took of failed logon attempts on the domain controllers failed login attempt to the VPN service (PPTP on WIndows). Also added this feature to the monitoring scripts for AD. Because I have access to AD have a few people, then over time you can lose track of actual data (something, sometime, someone has removed/moved/added but you never know). And these messages will be a welcome addition to real-time know about the changes.

Search for solutions

When I got the idea about this kind of warning (given the fact that in our organization actively use Jabber service) the first thing I did was to score the Google Powershell Jabber. The first link I was sent to website not unknown in the vast forums Microsoft Technet Xaerg'. What I saw there I could not help but surprise: "did you know that the snap-in NetCmdlets, including cmdlets to work with a huge number of network protocols available completely free for non-commercial use?"
And the list of available commands. "This is what I need, but still free!!!" I thought and was upset when it went to the developer website this snap-in cmdlets, it turns out they have no free version, there is only a trial for 1 month, after which you must re-request the key. Only then I noticed the date of the article, it was 2008 – too old :(.
For the sake of experiment I downloaded the trial version. Installed it on the server on which you want to use alerts. The installation was a great success. Immediately became available for new commandlet. The syntax for them is quite simple and send messages no problem. For some time I used the trial license, once a month it peregistrirovat. But the feeling that using the trial version I was depressed, even more depressed is the fact that you need every month to register for each server where it is installed. And as the infrastructure at that time was attended by just fewer than 30 servers, even the idea of the re-registration at least once a month on all servers terrified me.
When over time it became looser, I decided to finish this idea. You had a tool that via Powershell to send messages using XMPP. An important factor should be the terms of use of this tool — it should be free.

I again began to torment Google. And my efforts were not in vain. One click I got on a page with the utility, which still allows you to send messages from the PS console, using the XMPP Protocol.
I was particularly pleased with the inscription, emblazoned in the page header: Project Hosting for Open Source Software. That suggested to me the idea that this product is free to use — just what I need.

Audit failed login attempts to the server, with notification by e-mail, Jabber service, and entry in the log file.


the 
#Find the last record in WIndowsEventLog for the failed login attempts to the server, and write values to the variable Body
$HostName = HostName
$Body=Get-WinEvent -FilterHashtable @{LogName= 'Security'; ID=4625} | Select TimeCreated,@{n="User";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq "TargetUserName"} | %{$_.'#text'}}},@{n="ComputerName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq "WorkstationName"}| %{$_.'#text'}}},@{n= 'IPAddress'; e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name-eq "IPAddress"}| %{$_.'#text'}}} | select-object -first 1

#$BodyL - variable to write to a text log file
$BodyL = "`n"+$Body.TimeCreated +"`t"+ $Body.User +"`t"+ $Body.ComputerName +"`t"+ $Body.IPAddress
#$Body is the variable for the message body when the message is sent in the mail and Jabber
$Body = "`purema: "+$Body.TimeCreated +"`Pima user: "+ $Body.User +"`computer-source: "+ $Body.ComputerName +"`nIP: "+ $Body.IPAddress

#$Theme - subject. $Hostname is the server name
$Theme = "Failed to log on "+$hostname

#Sending Jabber messages

Add-PSSnapin poshxmpp
new-client-JabberId AUDIT@domain.ru -Password Password
Send-Message admin@domain.ru "$Theme $Body"
$PoshXmppClient.Close()



#Description variables for sending e-mail messages about the incident
$Subject = "Failed to log on "+$hostname

$Server = "mail.domain.ru" # SMTP Server
$From = "audit@domain.ru" # sender Address
$To = "admin@domain.ru" # Recipient
$pass = ConvertTo-SecureString "PASSWORD" -AsPlainText-Force
$cred = New-Object System.Management.Automation.PSCredential("AUDIT" , $pass)
$encoding = [System.Text.Encoding]::UTF8
#Send e-mail
Send-MailMessage -From $From -To $To-SmtpServer $server -Body "$Theme `n$Body" -Subject $Subject -Credential $cred -Encoding $encoding
#Write data to a text log file FaildConnect.txt
$BodyL | out-file "\ServerNameServerLogFilesServerFaildConnect.txt" -append


As I wrote in first part to the script automatically worked out you must put it in task scheduler to run this script when it detects the EvenLog events with ID = 4625в the Security log.

Recommendations.


Such scripts work for me on the VPN server and on all domain controllers.
Now I always know when someone connects to the VPN, for example. Or when someone tries to crack the password to access the server.
So I recommend to hang a script on the services that "glow" in the Internet, for example service terminal access.
A record in a separate file will allow You, in the future, to perform the connection. Log, by the way, it is possible to open using spreadsheet editor (MS Excel or OO Calc) and have to work with the log as a table (sort, filter, etc.).
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Performance comparison of hierarchical models, Django and PostgreSQL

Изображение
Good day, dear readers. Today's article will be devoted to the comparison of models of working with hierarchical data in PostgreSQL via Django app. In the article I specifically do not use a clean implementation in the database, because I'm interested in is performance in an environment close to combat. All tests were performed on my data and results are relevant for this data on your data the result may differ from that obtained in the article. Model implementation of the hierarchical structures in the database For working with such structures in PostgreSQL you can use the following modely : the Adjacency model (AM) — model, when the column is stored parent; the Nested Sets (NS) model when paired column stores the range of all sub-elements; the Materialised Path model (MP) model, when the column is stored the full path to the element. Also details about the implementation of hierarchical structures in a relational database, you can read here . To imp...
Далее...

Transport Tycoon Deluxe / Emscripten part 2

Изображение
Transport Tycoon (Transport tycoon) is pretty old, but still enjoyable, especially the maniacs, the game is in the genre of RTS. /.../ There is also OpenTTD, outdoor product manyatta iPhoto, resulting from the game can not be distracted even in the toilet and underground, setting her on the Communicator or PDA. lurkmore I can honestly say: I killed a huge amount of time playing Transport Tycoon Deluxe. I'm just a fan of this game. So when on Habre the article appeared about how the guys from mozilla have ported Doom, I hit on the idea – to migrate one of my favorite games here on the Internet. By the way, the article was scarce, but I learned the main thing – the porting can be done using emscripten . Since the inception of the thought of the possibility of such a project was not less than a year (my first attempt crashed on the rocks of misunderstanding). And now I'm in a hurry to please you all: I did it! Now to sit ass playing TTD you can be located anywhere con...
Далее...

google life search

Изображение
Yesterday Google announced the Live search So, what is it and how to use it? Did it make your search more relevant and convenient for users? How to get it, where to enter a query to see live results? The algorithm is still driven around and while fully works only for English queries. You enter the query and see the results of the search in the middle of the page in the section Latest result for “your request”. Can try enter your query here . For example, a request Obama. About the middle of the page is visible to block the Latest results that are updated in real-time. New results on request Obama constantly updated and added to the search results. If this text is annoying, you can pause by clicking "Pause", but completely remove the "live search" from the results it is impossible. Adam Smith, a Google employee, guiding the development of new search system in real time, says that not all queries can be seen regularly updated information: ...
Далее...