As the continuation of the previous article, we are going to share information about the next step in WEC configuration. We will talk about event forwarding background, which services it uses and how to configure them in a proper way.
As we use source initiated type of subscription which was described in detail in the previous article. It allows us to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer.
The forwarding process is based on using winRM services as an essential part of this process. This service was explained in the other article.
So here below we are going to describe the process of configuration event forwarding through winRM service using group policies.
As a result of configuration from the previous article, we have created the subscription to receiving source initiated logs on the WEC computer.
First of all we have to create the new group policy for example ” Forwarding” and apply it to event collector and all end computers which will send logs to WEC machine. After that we have to configure “Forwarding” group policy(GPO).
However, there are strict restrictions on users’ roles in windows infrastructure. So for proper work of WEC server, there is a necessity to add it to a certain user group, the members of which have access to read logs
For this we have to perform next actions via GPO edit :
Computer Configurations -> Preferences -> Control Panel Settings -> Local Users and Groups. Click on that and choose to create a group.
- On the end computer open command prompt with administrator privileges and run wevtutil gl security. As a result we will see the current security descriptor. It is located in channelAccess parameter and is described with SDDL (Security Descriptor Definition Language).
Global syntaksis of SDDL:
Value by default:
- If we are going to allow read access to all network services we have to add next value to the end (A;;0x1;;;S-1-5-20).
- To perform this:
wevtutil sl security
In the group policy editor go to Computer Configurations -> Policies -> Administrative Templates -> Windows Component -> Event Log Service -> Security
As we have previously created new user group Event Log Readers and provided Network services with permissions to read security logs. At this stage, we are going to add NETWORK SERVICE to Event Log Readers group for the possibility to read and forward all logs via winRM.
In the policy editor tab go to Policies -> Windows Settings -> Security Settings -> Restricted Groups. Here we should create a new Restricted Group – BUILTIN\\Event Log Readers.
If there are no problems on previous steps we have a configured all permissions for services and all pre-requirements for log forwarding. At this stage, we are going to configure WinRM services to automatically start and provide all permission to it.
Create a policy to launch WinRM service on computers. Go to Computer Configurations -> Preferences -> Control Panel Settings -> Services here we should create a new service.
Server= http://<Full domain name of WEC machine>:5985/wsman/SubscriptionManager/WEC,Refresh=60
In this article, we explain how to configure windows event forwarding through Group Policies. We have provided a step-by-step guide about Forwarding Group Policy configuration. The main points are how to run WinRM services for log collection and sending via GPO, how to manage permissions for services to provide access to logs and windows event forwarding mechanism.
Get the Help You Need
Cybersecurity is our core expertise. Let’s get in touch and you will learn more about how UnderDefense can benefit your organization
There is no end to Cyber Risk so go into battle with the best... Risk for 400M or WHY we talk about it Recently, one portfolio company of a big Los Angeles PE firm paid $400M in bitcoin as Ransomware to attackers for decrypting their systems and getting back to...
Why It’s Important Email is one of the most valuable IT systems where organization share their plans, sensitive documents, chats….and even passwords. UnderDefense, in cooperation with the Computer Emergency Response Team of Ukraine (CERT-UA) participated in a series...
Malicious Actors have a new trend - brute-forcing various remote desktop SaaS services/tools like AnyDesk, GoToMyPC, Zoho Assist, RemotePC, VNC Connect, DameWare Mini Remote Control, etc. to gain unrestricted access to internal corporate networks without any...