Guys and Gals: it’s 2016. We live in a cyber age. Our lives are a heterogeneous smorgasbord of devices, operating systems, cloud storage and social media.
We are virtually always online in one way or another. Even our watches are constantly connected to something. We monitor our steps, our pulse, or stocks, our friend’s social lives (although I do wonder why sometimes).
It’s not just our private lives that are always online. Hands up if you don’t check your email away from the office. As I thought, a resolute hands down. Maybe you respond to a Skype call about sending over some important documents, while sipping sangria on a hot sandy beach, which you then share out from one of your ‘not allowed by company policy’ cloud storage providers.
Like it or not, it’s the way we live our lives.
What do most of these activities have in common?
One word: Authentication.
At some point in our activity, we will have had to log in, input our password, use a fingerprint, or even 2-factor.
The surprising thing is how few of these ‘authentications’ are from a Windows-based device.
I personally use a Windows laptop, so most of my work day activity is from a Windows OS. Even then I’m not connected to my work network. I maybe VPN in once or twice a day at most. My wife, however, has a MacBook. At no point in her day, working or personal, does she logon to a Windows OS.
How many critical systems are hosted on Unix or a mainframe? Again, no Windows OS involved.
Over the past ten years, I’ve seen – as I’m sure you have too – a massive growth in the use of non-Microsoft platforms for business.
I’m specifically referring to the end user. The majority of which is Mac OS from a notebook perspective and iOS/Android from a mobile angle.
One of the first things we do when we get a new mobile device is adding our business email account….which does, in fact, require your Active Directory login details.
This gets me to the point of this post. It’s a topic I’ve blogged about many times in various guises in the past. It’s still something that I just do not understand.
Why the insistence on wanting/needing Windows logon & logoff events?
Why do you need them?
I can give you a long list of why they are archaic, far too much hassle and most importantly inaccurate. Here you go:
- Read the content of this blog. Many of your business resources are accessed from devices that have no logon/logoff event (iOS, Android etc)
- To get logon/logoff information from the local machine, you have to
- Enable auditing
- Reliably collect and parse those logs
- Actually logon & logoff – how many users just turn off their screens in the evening?
- The AD attributes ‘Lastlogon’ and ‘LastLogonTimeStamp’ are virtually useless for this purpose
- Both are large integers that need to be converted into dates in the relevant time zone
- ‘LastLogonTimeStamp’ is only updated during logon if the old value is more than 14 days in the past
- ‘LastLogon’ is updated at every logon, but only on the authenticating DC. It is not replicated. Which means you would need to query every DC in the domain to gather the data
- Can you efficiently detect if an account has been compromised? No!
It’s time to stop looking to auditing methods suitable for a Windows NT age and look to Active Directory integrated authentication analytics.
Get the data in real-time at the source.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Mark Wilson is a Director of Product Management at STEALTHbits Technologies.
He is lead Pre-Sales consultant in the EMEA region and a key member of the global Product Marketing team.
Mark has 18 years’ experience working in virtually all technical support and consulting roles across both public and private sectors in the UK, EMEA and Globally.
Areas of specialism include compliance, data governance, IAM, migrations and consolidations.