security auditing questions

D

djc

win2000 Server sp4. Native mode domain.

a few simple questions will go a long way in my quest to fully understand
windows security auditing.

When both account logon events and logon events (failures only for both) are
enabled in both the Domain Security Policy and the Domain Controllers
Security Policy what happens in these following scenarios? I am mostly
looking to find out what event and where it is actually logged.

1) user fails a logon to the domain from his workstation due to a wrong
password. Not a net connection attempt, a regular login (i.e. after pressing
ctrl+alt+del)

2) A logged on domain user attempts to connect to a remote share using a UNC
path name and when prompted for a user name and password he supplies the
wrong password.

3) A domain user supplies the wrong password to the prompt from an IIS
intranet website using basic authentication.

These are a few (of the many) common scenarios I want to understand the
whats and wheres of. For instance can one logon falure actually generate
more than one event to be logged? or maybe the same event logged in more
than one place?

any info would be greatly appreciated. Thanks.
 
S

Steven L Umbach

Well here is what my experience shows.

For a failed logon attempt to the domain on a domain workstation an account logon
event failure probably ID 675 for the user will be logged on the domain controller
that the users used for authentication and the computername/IP address

The same thing happens for access to another domain computer via unc. The account
logon failure probably ID 675 will show the source computer/IP address and the
username used to try to access the share - not the name of the user who used the
alternate credentials.

Not sure about the last one, but again I imagine it would be a account logon failure
referencing user account used. That one you could try out.

One logon failure can generate more than one bad logon attempt which is why MS
recommends a minimum of 10 for account lockout threshold. Logon failures can be
recorded in more than one place. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing Logons and Logoffs 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
537 errors due to manual services being started 0
Authentication Auditing 5
Security Log 1
Pre-Authentication Failure with Vista 1
Auditing Logon Events 2
Auditing User logon/logoff events. 2

Top