BFGuard – Day 2

Background

In this post we actually start BFGuard and try to connect to the host from other workstations.

 

Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time

 

Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time

 

BF Guard – Application – Log entrys

Explanation
  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes

 

BF Guard – Application – Blocked IP

Explanation
  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked

 

OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.

 

Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625
Image

 

Explanation
  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon

 

OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.

 

Explanation

  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes

 

Summary

Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.

 

MS Windows – Scheduler – Error – “An account failed to log on” – NULL SID

Preface

On a MS Window box, a scheduled Task is failing with the error messages stated in the Error Messages section.

Scheduled Task

Here is the scheduled task

Command File


robocopy \\DBPROD\f$\SQLBackups\csLogins F:\Microsoft\SQLServer\Restore *.bak /ZB /ETA

Output


D:\Scripts\RestoreDB\Lab>robocopy \\DBPROD\f$\SQLBackups\csLogins F:\Microsoft\SQLServer\Restore *.bak 	     /ZB 		 /ETA  

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows     ::     Version XP010
-------------------------------------------------------------------------------

  Started : Mon May 30 18:34:35 2016

   Source : \\DBPROD\f$\SQLBackups\csLogins\
     Dest : F:\Microsoft\SQLServer\Restore\

    Files : *.bak
	    
  Options : /COPY:DAT /ZB /ETA /R:1000000 /W:30 

------------------------------------------------------------------------------

ERROR: You do not have the Backup and Restore Files user rights.
*****  You need these to perform Backup copies (/B or /ZB).

 

Explanation

Btw, Robocopy is coming back with the error message stating “You do not have the Backup and Restore Files user rights“.

 

Error Messages

Detailed Error Messages

Error Messages – Logon Type – 2

An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		HRDB$
	Account Domain:		LABDOMAIN
	Logon ID:		0x3e7

Logon Type:			2

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		daniel
	Account Domain:		LABDOMAIN

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc000006a

Process Information:
	Caller Process ID:	0x434
	Caller Process Name:	C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	HRDB
	Source Network Address:	-
	Source Port:		-


Error Messages – Logon Type – 4


An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		HDRB$
	Account Domain:		DOMAIN
	Logon ID:		0x3e7

Logon Type:			4

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		daniel
	Account Domain:		LABDOMAIN

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc000006a

Process Information:
	Caller Process ID:	0x434
	Caller Process Name:	C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	HRDB
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Advapi  
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0


Error Messages – Review

  1. Subject
    • Account Name & Account Domain
      • Scheduled User
  2. Logon Type
    • 2 – Interactive User ( A user logged on to this computer )
    • 4 – Batch ( Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention )
  3. Security ID
    • Account For Which Logon Failed
      • NULL SID
  4. Failure Information
    • Failure Reason
      • Unknown user name or bad password.

 


Remediate

We made sure of the following:

  1. Run whether user is logged on or not” is chosen
  2. Do not store password. The task will only have access to local computer resources.” is unchecked

 

The one fix we found is edit the Scheduled Task and enable the “Run with highest privileges” check-box.

TaskScheduler-General

 

Competing Products

These other products suffered same fate:

  1. EMC / EMCOPY

 

Summary

Btw, copy and xcopy do not fail.

And, so it is likely that robocopy needs a bit more permission than the native OS tools.

 

References

  1. Caleb – Exploring the Wonder – Robocopy and Server 2008 Script Error
    http://calebs71.blogspot.com/2009/12/robocopy-and-server-2008-script-error.html
  2. Robocopy: “You do not have the Backup and Restore Files user rights” [Field Notes]
    http://seankilleen.com/2011/10/robocopy-you-do-not-have-the-backup-and-restore-files-user-rights-field-notes/