KBI 310125 Argent Service Account High Logins And ArcSight
Version
All
Date
21 Oct 2008
Summary
Security Administrators conduct an audit using a security information manager such as ArcSight Console, which can trigger an alert due to the number of logins by the Argent service account.
Technical Background
Some security products are programmed to count the number of login events across an enterprise that use the same security context. Some malicious software including Trojans, viruses, and zombie client applications attempt to break network security using brute force techniques; some of the more crude security products can interpret the pattern of logins by the Argent service account as suspicious.
Argent Login Account
Argent recommends that in order to facilitate network monitoring, a domain account be configured with the appropriate permissions to query machines network-wide. This practice is called using a “service account“.
Services And Service Accounts.
Argent’s Service Account Requirements.
The service account can log onto any server (frequently as a member of the Domain Administrators group) which is necessary but does introduce a security vulnerability to the network, and provides a single security context under which to aggregate login statistics.
In the screenshot below, ArcSight Console has alerted under a Partial Matching Rule:
Fig. 1 The partial matching rule under which an alert was raised. Also, we see the relative number of login events for the Argent service account compared to some others. Note that the ratio of Attempt/Success is 1:1, which helps differentiate from a typical brute force password crack attempt.
Fig. 2 The log detail reveals that during the examined time frame (approximately 2 days) there are 180,181 logins by the service account.
Depending upon the number of machines being monitored in your network, this may be entirely normal behavior of the Argent Extended Technology. In the network from which these screenshots were taken, approximately 500 servers are being monitored by Argent, with many Relators configured to run once a minute or once every 5 minutes. There are 1,440 minutes in a day:
(500 x 1,440) + (500 x (1,440/5))= 720,000 + 144,000 = 864,000
As you can see, a large number of login events can potentially be generated.
Although these numbers may look large, remember:
- Microsoft specify a well-designed Active Directory environment with 1 million objects should easily handle 19,000 logins per minute (27,360,000 per day)
- Credentials can be cached for better performance
- Detailed review following this incident revealed no network degradation from any Argent product.
Active Directory Maximum Limits
Planning For Domain Controller Capacity
Managing Active Directory For Peak Performance
Windows Active Directory Login Processes
In a Windows 200x network all login requests are validated against domain controllers, specifically the Global Catalog.
How The Global Catalog Works.
When a user or process requests access to a server, the authentication request is serviced by Active Directory creating a de jure “central location“. Logging in 10 times on 100 servers to verify that they are operational might look like 1,000 discrete events, but as they all authenticate from the same place (Active Directory) they are actually all connected.
A security product, such as ArcSight Console – which is programmed to look for suspicious login patterns – may see the Argent service account login patterns match patterns similar to a Trojan or hacker attempting a brute force attack.
Why Authenticate?
When monitoring Layer 2 and Layer 3 devices such as switches or routers a
to establish that the device is responding, but it is next to useless when monitoring servers;
The Argent Guardian is frequently configured to use the Windows Time of Day API for Windows 2000x
. The connectivity is accomplished via Remote Procedure Calls which are secure and are authenticated. This generates an authentication request against Active Directory.
Resolution
- Create and configure an Active List with the Argent service account to exclude Argent. See your ArcSight documentation for details.
Note:
If possible you should also create rules that verify that the Argent service account is logging on only from authorized servers, i.e. the Mother Engine, Backup Mother Engines, Daughter Engines and Monitoring Engines. A login request originating from a device other than these could be an indication that the password for the account has been compromised and someone or some process is using it without authorization.
Fig 3. ArcSight Active List
- Consider reducing the frequency of Relator execution where appropriate. Some monitored items should be done frequently; some (such as those used primarily for trend analysis) may lend themselves to a frequency of once or twice a day. When in doubt, consult your Argent Field Engineer or the Argent Instant Help for guidance.
-
(NOT RECOMMENDED) Increase the alarm threshold for partial rule matching.
Note:
This is not recommended. If you increase your threat thresholds you create a security hole that malicious software can (and will) exploit.
Additional Reading
Security Account Planning Guide
Vulnerability Identification And Remediation Through Best Security Practices
Some security products that may generate similar alerts include
- Network Intelligence envision
- High Tower Software Security Event Manager
- Q1 Labs QRadar
- Symantec Security Information Manager
- LogLogic ST3000
- LX2000
- SenSage Enterprise Security Analytics
- Open Service Security Threat Manager
- Various SysLog Products