Logging Domain user authentication failures



  • We've deployed a new standard for account lockouts after X number of authentication failures. For troubleshooting, I'm looking to try to get events created in the security logs of our domain controllers of when bad password / username attempts occur (yes, I know that these events will not appear on just one domain controller).

    Before I create a GPO for this, I'm doing some tests to see what events will be triggered with various audit policies. Here's what I've found so far, and the results seem odd. The failure used in these tests are simply bad passwords with valid usernames.

    If you've used the Security Event log on a domain controller to view failed domain account logon attempts, which audit policy settings have you enabled?

    Security Settings > Local Policies > Audit Policy > Audit account logon events

    Auth Failure: Sec Log Event Triggered on DC

    Console to DC: 4771, 4625
    RDP to DC: 4771
    Unlock account DC: 4771, 4625
    Failed domain join client: 4771
    First domain logon client: 4771
    Subsequent domain logon client: 4771
    Unlock domain client: 4771
    First domain logon domain server (console): 4771
    Subsequent domain logon domain server (console): 4771
    RDP to domain server: 4771
    Unlock domain server: 4771

    Security Settings > Local Policies > Audit Policy > Audit logon events

    Auth Failure: Sec Log Event Triggered on DC

    Console to DC: 4625
    RDP to DC: no events
    Unlock account DC: 4625
    Failed domain join client: no events
    First domain logon client: no events
    Subsequent domain logon client: no events
    Unlock domain client: no events
    First domain logon domain server (console): no events
    Subsequent domain logon domain server (console): no events
    RDP to domain server: no events
    Unlock domain server: no events

    Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon > Audit Credential Validation

    Auth Failure: Sec Log Event Triggered on DC

    Console to DC: no events
    RDP to DC: no events
    Unlock account DC: 4776
    Failed domain join client: no events
    First domain logon client: no events
    Subsequent domain logon client: no events
    Unlock domain client: no events
    First domain logon domain server (console): no events
    Subsequent domain logon domain server (console): no events
    RDP to domain server: no events
    Unlock domain server: no events

    Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff > Audit Logon

    Auth Failure: Sec Log Event Triggered on DC

    Console to DC: 4625
    RDP to DC: no events
    Unlock account DC: 4625
    Failed domain join client: no events
    First domain logon client: no events
    Subsequent domain logon client: no events
    Unlock domain client: no events
    First domain logon domain server (console): no events
    Subsequent domain logon domain server (console): no events
    RDP to domain server: no events
    Unlock domain server: no events



  • @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

    I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.



  • @travisdh1 Wazuh will even show Windows logins on CentOS 7 Machines by default.

    0_1531333051552_cb032d46-fb34-476e-9068-84fc77de949c-image.png



  • @travisdh1 said in Logging Domain user authentication failures:

    @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

    I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

    We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.



  • @eddiejennings said in Logging Domain user authentication failures:

    @travisdh1 said in Logging Domain user authentication failures:

    @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

    I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

    We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.

    Ah. What an ..... effective use of resources.

    Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.