search

lithnet / ad-password-protection

Active Directory password filter featuring breached password checking and custom complexity rules
MIT License
486 stars 51 forks source link

Could not register event source LithnetPasswordProtection: 5 #130

Closed n00bsteam closed 2 months ago

n00bsteam commented 2 months ago

Hi, Windows Server 2022, Lithnet 1.1.53.

Get-PasswordFilterConfig output

StorePath     IsFilterRegistered IsFilterEnabled
---------     ------------------ ---------------
C:\LithnetDB\               True            True

Get-PasswordFilterPolicy output: 

ValidatePasswordDoesntContainAccountName                : 1
ValidatePasswordDoesntContainFullName                   : 1
CheckPasswordNotInBannedPasswordStoreOnSet              : 1
CheckPasswordNotInBannedPasswordStoreOnChange           : 1
CheckNormalizedPasswordNotInBannedPasswordStoreOnSet    : 1
CheckNormalizedPasswordNotInBannedPasswordStoreOnChange : 1

test-IsCompromisedPassword '!QAZ2wsx3edc4r' output: True

But have no events in WinEventLog, only in C:\Windows\Logs\lpp.log:

Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5
Could not register event source LithnetPasswordProtection: 5

Same situation on all DCs. How we can fix it?

n00bsteam commented 2 months ago

Also i have another events in lpp.log

Could not register event source LithnetPasswordProtection: 1722
Could not register event source LithnetPasswordProtection: 1722
ryannewington commented 2 months ago

Hi @n00bsteam

Error 5 shown in the first cases is "access denied". Try running that PowerShell window as admin and rerun those commands which should trigger re-registration.

1722 means RPC endpoint not available. Are you using an RPC firewall or similar?

If you can register manually using the first method then the second error should go away as well.

Ryan

n00bsteam commented 2 months ago

Hi @ryannewington ! Can you explain, which command i should try to execute in Powershell to trigger re-registration?

Also i was check RPC port on all DCs, all fine.

ryannewington commented 2 months ago

If you run Get-PasswordFilterResult as admin that should trigger registration of the event source.

ryannewington commented 2 months ago

If that doesn't work, you can register the event source manually. Just make sure the $messagesPath variable points to the correct location for your system.

$messagesPath = "C:\Program Files\Lithnet\Active Directory Password Protection\messages.dll"
New-EventLog -source "LithnetPasswordProtection" -LogName "Application" -MessageResourceFile "$messagesPath"
n00bsteam commented 2 months ago

Done:

Password: 123123123123
Username: user123
Fullname: Test
Compromised

and new line appear in lpp.log

Could not register event source LithnetPasswordProtection: 5

Check that i'm run powershell as administrator:

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

return True

n00bsteam commented 2 months ago

If that doesn't work, you can register the event source manually. Just make sure the $messagesPath variable points to the correct location for your system.

$messagesPath = "C:\Program Files\Lithnet\Active Directory Password Protection\messages.dll"
New-EventLog -source "LithnetPasswordProtection" -LogName "Application" -MessageResourceFile "$messagesPath"

Got error that another event log has already registered a source with this name.

ryannewington commented 2 months ago

Ok so that tells us the source is registered, but we are being denied access to write to the application event log.

Any custom event log permissions set in the environment?

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy

n00bsteam commented 2 months ago

I delete source:

Remove-EventLog -Source "LithnetPasswordProtection"

and test Get-PasswordFilterResultone more time, no new string appears in lpp.log.

n00bsteam commented 2 months ago

Ok so that tells us the source is registered, but we are being denied access to write to the application event log.

Any custom event log permissions set in the environment?

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy

No:

PS C:\Windows\system32> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\Application

CategoryCount       : 7
CategoryMessageFile : C:\Windows\system32\wevtapi.dll
PSPath              : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Application
PSParentPath        : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
PSChildName         : Application
PSDrive             : HKLM
PSProvider          : Microsoft.PowerShell.Core\Registry

PS C:\Windows\system32> Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\Eventlog

Description                      : @%SystemRoot%\system32\wevtsvc.dll,-201
DisplayName                      : @%SystemRoot%\system32\wevtsvc.dll,-200
ErrorControl                     : 1
FailureActions                   : {128, 81, 1, 0...}
FailureActionsOnNonCrashFailures : 1
Group                            : Event Log
ImagePath                        : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
ObjectName                       : NT AUTHORITY\LocalService
PlugPlayServiceType              : 3
RequiredPrivileges               : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeAuditPrivilege}
ServiceSidType                   : 1
Start                            : 2
SvcMemHardLimitInMB              : 20
SvcMemMidLimitInMB               : 15
SvcMemSoftLimitInMB              : 11
Type                             : 32
PSPath                           : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog
PSParentPath                     : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
PSChildName                      : Eventlog
PSDrive                          : HKLM
PSProvider                       : Microsoft.PowerShell.Core\Registry
n00bsteam commented 2 months ago

after recreating Source "LithnetPasswordProtection", when execute Get-PasswordFilterResult as admin errors still in lpp.log.

If i try to change my password errors appear in lpp.log either.

ryannewington commented 2 months ago

Yeah the error about registration of the source is misleading in the case.

The actual error is the coming from windows to our request to open a handle to the event source.

Something in your environment is preventing this from happening, but it's a bit hard to tell what. It's usually an ACL on the registry or application log itself, or it could be something like antivirus or EDR tool preventing the call.

You could try writing to the event log manually (take LPP out of the picture) and diagnose further that way

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/write-eventlog?view=powershell-5.1

crocky-disco commented 2 months ago

Hi @ryannewington,

There is GPO that apllies ACL to Application Event log. Users are:

What permission is necessary to add?

Is it NT AUTHORITY\LocalService?

crocky-disco commented 2 months ago

image

n00bsteam commented 2 months ago

@ryannewington thank you for your help!

You was right, we got an issue with Application channel ACL, after setting correct rights all works fine!

ryannewington commented 2 months ago

Well done guys! Glad you got it working!