Logging Domain user authentication failures
-
We've deployed a new standard for account lockouts after X number of authentication failures. For troubleshooting, I'm looking to try to get events created in the security logs of our domain controllers of when bad password / username attempts occur (yes, I know that these events will not appear on just one domain controller).
Before I create a GPO for this, I'm doing some tests to see what events will be triggered with various audit policies. Here's what I've found so far, and the results seem odd. The failure used in these tests are simply bad passwords with valid usernames.
If you've used the Security Event log on a domain controller to view failed domain account logon attempts, which audit policy settings have you enabled?
Security Settings > Local Policies > Audit Policy > Audit account logon events
Auth Failure: Sec Log Event Triggered on DC
Console to DC: 4771, 4625
RDP to DC: 4771
Unlock account DC: 4771, 4625
Failed domain join client: 4771
First domain logon client: 4771
Subsequent domain logon client: 4771
Unlock domain client: 4771
First domain logon domain server (console): 4771
Subsequent domain logon domain server (console): 4771
RDP to domain server: 4771
Unlock domain server: 4771Security Settings > Local Policies > Audit Policy > Audit logon events
Auth Failure: Sec Log Event Triggered on DC
Console to DC: 4625
RDP to DC: no events
Unlock account DC: 4625
Failed domain join client: no events
First domain logon client: no events
Subsequent domain logon client: no events
Unlock domain client: no events
First domain logon domain server (console): no events
Subsequent domain logon domain server (console): no events
RDP to domain server: no events
Unlock domain server: no eventsSecurity Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon > Audit Credential Validation
Auth Failure: Sec Log Event Triggered on DC
Console to DC: no events
RDP to DC: no events
Unlock account DC: 4776
Failed domain join client: no events
First domain logon client: no events
Subsequent domain logon client: no events
Unlock domain client: no events
First domain logon domain server (console): no events
Subsequent domain logon domain server (console): no events
RDP to domain server: no events
Unlock domain server: no eventsSecurity Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff > Audit Logon
Auth Failure: Sec Log Event Triggered on DC
Console to DC: 4625
RDP to DC: no events
Unlock account DC: 4625
Failed domain join client: no events
First domain logon client: no events
Subsequent domain logon client: no events
Unlock domain client: no events
First domain logon domain server (console): no events
Subsequent domain logon domain server (console): no events
RDP to domain server: no events
Unlock domain server: no events -
@eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.
I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.
-
@travisdh1 Wazuh will even show Windows logins on CentOS 7 Machines by default.
-
@travisdh1 said in Logging Domain user authentication failures:
@eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.
I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.
We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.
-
@eddiejennings said in Logging Domain user authentication failures:
@travisdh1 said in Logging Domain user authentication failures:
@eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.
I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.
We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.
Ah. What an ..... effective use of resources.
Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.
