1
00:00:03,390 --> 00:00:10,700
Certain groups of users are considered high risk these groups include people who possess escalated privileges

2
00:00:10,700 --> 00:00:12,380
in the system.

3
00:00:12,380 --> 00:00:17,660
Usually there are the administrators they have to be monitored with special care

4
00:00:20,460 --> 00:00:26,640
with high risk groups events that are to be audited should include above all failed admin account logons

5
00:00:27,690 --> 00:00:29,040
event 8:55

6
00:00:33,760 --> 00:00:42,030
event 5:34 is extremely alarming certain services are run with specified user privileges special accounts

7
00:00:42,030 --> 00:00:46,820
that are set up for the services Eskew or servers.

8
00:00:46,820 --> 00:00:51,140
For example use a domain account called sequel server.

9
00:00:51,190 --> 00:00:56,160
No one should log into this account if a user has successfully logged.

10
00:00:56,170 --> 00:00:59,880
This probably means that our rescue server has been compromised.

11
00:01:06,190 --> 00:01:15,480
Event 6 so one is an attempt to install a new system service.

12
00:01:15,550 --> 00:01:21,430
We've now moved to the event types that if logged suggests that the security policy is flouted or even

13
00:01:21,430 --> 00:01:22,540
that we've been attacked

14
00:01:26,130 --> 00:01:32,630
event 5 3 1 is an attempt to log on to a locked account.

15
00:01:32,870 --> 00:01:38,650
The feature that locks accounts is helpful but it should take more than five failed attempts for a lockout.

16
00:01:39,170 --> 00:01:42,140
A user could have simply forgotten this password.

17
00:01:42,140 --> 00:01:46,460
The Caps Lock key might be pressed or the keyboard layout has changed.

18
00:01:46,520 --> 00:01:54,230
It's easy to accidentally press control plus shift forcing and account lockout after five failed logons

19
00:01:54,350 --> 00:01:57,560
will only protected against a simple guessing of passwords.

20
00:01:58,650 --> 00:02:02,070
Five attempts can be enough only for the weakest passwords.

21
00:02:04,080 --> 00:02:09,600
You should in reality defend user accounts against the threat by telling users that passwords are secure

22
00:02:09,600 --> 00:02:13,320
and crack proof.

23
00:02:13,450 --> 00:02:19,210
If your users know the basic password handling rules you can lift the threshold to 15 or 50 failed log

24
00:02:19,210 --> 00:02:22,050
on attempts.

25
00:02:22,090 --> 00:02:26,880
There's an equally low risk that an attacker would be able to successfully determine a password in five

26
00:02:26,890 --> 00:02:28,540
or 50 attempts.

27
00:02:29,340 --> 00:02:33,570
And raising the limit will also relieve your I-T department workload by 30 percent

28
00:02:37,720 --> 00:02:41,920
even 5:32 indicates a failed attempt to log in with a disabled account.

29
00:02:42,970 --> 00:02:45,980
Disable the accounts or simply account templates.

30
00:02:47,690 --> 00:02:53,600
There is for example a production department user account template when a new employee is hired in the

31
00:02:53,600 --> 00:02:55,090
department.

32
00:02:55,150 --> 00:03:01,620
It's enough to simply duplicate the template to have a well configured account templates have to be

33
00:03:01,620 --> 00:03:08,700
disabled as they're not assigned to a specific person and are not monitored if the user attempts to

34
00:03:08,700 --> 00:03:10,320
log into a template.

35
00:03:10,320 --> 00:03:16,620
This suggests that he is trying to escalate privileges this event should be detected and noticed at

36
00:03:16,620 --> 00:03:17,040
once.