ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Logging Domain user authentication failures

    IT Discussion
    audit policy windows domain server 2012 active directory active directory domain group policy
    3
    5
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • EddieJenningsE
      EddieJennings
      last edited by

      We've deployed a new standard for account lockouts after X number of authentication failures. For troubleshooting, I'm looking to try to get events created in the security logs of our domain controllers of when bad password / username attempts occur (yes, I know that these events will not appear on just one domain controller).

      Before I create a GPO for this, I'm doing some tests to see what events will be triggered with various audit policies. Here's what I've found so far, and the results seem odd. The failure used in these tests are simply bad passwords with valid usernames.

      If you've used the Security Event log on a domain controller to view failed domain account logon attempts, which audit policy settings have you enabled?

      Security Settings > Local Policies > Audit Policy > Audit account logon events

      Auth Failure: Sec Log Event Triggered on DC

      Console to DC: 4771, 4625
      RDP to DC: 4771
      Unlock account DC: 4771, 4625
      Failed domain join client: 4771
      First domain logon client: 4771
      Subsequent domain logon client: 4771
      Unlock domain client: 4771
      First domain logon domain server (console): 4771
      Subsequent domain logon domain server (console): 4771
      RDP to domain server: 4771
      Unlock domain server: 4771

      Security Settings > Local Policies > Audit Policy > Audit logon events

      Auth Failure: Sec Log Event Triggered on DC

      Console to DC: 4625
      RDP to DC: no events
      Unlock account DC: 4625
      Failed domain join client: no events
      First domain logon client: no events
      Subsequent domain logon client: no events
      Unlock domain client: no events
      First domain logon domain server (console): no events
      Subsequent domain logon domain server (console): no events
      RDP to domain server: no events
      Unlock domain server: no events

      Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon > Audit Credential Validation

      Auth Failure: Sec Log Event Triggered on DC

      Console to DC: no events
      RDP to DC: no events
      Unlock account DC: 4776
      Failed domain join client: no events
      First domain logon client: no events
      Subsequent domain logon client: no events
      Unlock domain client: no events
      First domain logon domain server (console): no events
      Subsequent domain logon domain server (console): no events
      RDP to domain server: no events
      Unlock domain server: no events

      Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff > Audit Logon

      Auth Failure: Sec Log Event Triggered on DC

      Console to DC: 4625
      RDP to DC: no events
      Unlock account DC: 4625
      Failed domain join client: no events
      First domain logon client: no events
      Subsequent domain logon client: no events
      Unlock domain client: no events
      First domain logon domain server (console): no events
      Subsequent domain logon domain server (console): no events
      RDP to domain server: no events
      Unlock domain server: no events

      travisdh1T 1 Reply Last reply Reply Quote 0
      • travisdh1T
        travisdh1 @EddieJennings
        last edited by

        @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

        I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

        wrx7mW EddieJenningsE 2 Replies Last reply Reply Quote 0
        • wrx7mW
          wrx7m @travisdh1
          last edited by

          @travisdh1 Wazuh will even show Windows logins on CentOS 7 Machines by default.

          0_1531333051552_cb032d46-fb34-476e-9068-84fc77de949c-image.png

          1 Reply Last reply Reply Quote 1
          • EddieJenningsE
            EddieJennings @travisdh1
            last edited by

            @travisdh1 said in Logging Domain user authentication failures:

            @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

            I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

            We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.

            travisdh1T 1 Reply Last reply Reply Quote 1
            • travisdh1T
              travisdh1 @EddieJennings
              last edited by

              @eddiejennings said in Logging Domain user authentication failures:

              @travisdh1 said in Logging Domain user authentication failures:

              @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

              I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

              We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.

              Ah. What an ..... effective use of resources.

              Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post