RE: Auditing enabled but Logon Failures not showing up

• Previous message: Frank Heyne: "RE: Auditing enabled but Logon Failures not showing up"
• Maybe in reply to: thenile_at_ziplip.com: "Auditing enabled but Logon Failures not showing up"
• Next in thread: Frank Heyne: "RE: Auditing enabled but Logon Failures not showing up"
• Reply: Frank Heyne: "RE: Auditing enabled but Logon Failures not showing up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Oct 2003 20:42:00 -0700 (PDT)
To: dave kleiman <dave@netmedic.net>, focus-ms@securityfocus.com

Hi Dave,

> Let me make sure I have this correct.
>
> 1. Domain = NT4 SP6a.
> 2. Client = W2K SP4
>

Yes

> Scenario 1:
>
> Client tries to logon to domain.
>
> 1. Successful logon shows in DC's event log
> 2. Unsuccessful logon does NOT show in DC's event log.

Both true, when the logon is successful, event id 528 shows up in the DCs logs.

> Scenario 2.
>
> Client tries to logon to local workstation.
>
> 1. Successful and Unsuccessful logons show in DC's event log.
>

Successful logons never show up in the DC's event logs.

Unsuccesul logons show up in the DCs logs only after the user has manged succesfully log on. So, let us say I create a local user called Joe and I have another domain user called Jade.
If Joe tries to logon locally succesfully, no events show up in the Dc's. If Joe tries to log on locally with the wrong password no event show up on the DC as well untill Joe finnally manages to logo on succesfully.
AFter Joe logs on succesfully to the local machines , event 529 shows up on the DCs with an unknown user name or password.

It is not a sync problem because if you do the following:

Step 1: Joe tries to log on locally with wrong password nothing shows up in DC's and Joe doesn't put the right password in.

Step 2: Jade log on to domain, succesfull log on show up
So Jade's log on showed up but Joe logon failure did not.

Step 3: Joes tries to logon on with wrong password and staright away tries to log on with right password, event 529 show up on DCs.

My concern is unseccesfull logons to the domain not showing up in the DC's logs.

The local machine logs all the attempts locally.

> Question 1.
>
> Does the user account for the local machine and Domain the same User Id?
> (i.e. "user1" is a local account and Domain account)

The only user which exists locally is the Administrator user. I have created other local users just for testing.

> Question 2.
>
> What are the specific Event ID's you are seeing for failure and success.
>

See above.

> Try setting cached logons to 0 on the client and see if we get the same results.

I did, same results.

Your help is greatly appreciated Dave. Thanks.

Thenile

>
> Dave
>
>
>
> _____________________
> Dave Kleiman
> secure@netmedic.net
> www.SecurityBreachResponse.com
>
> "High achievement always takes place in the framework of high expectation."
> Jack Kinder
>
>
>
>
>
> -----Original Message-----
> From: thenile@ziplip.com [mailto:thenile@ziplip.com]
> Sent: Wednesday, October 22, 2003 20:22
> To: dave kleiman; focus-ms@securityfocus.com
> Subject: RE: Auditing enabled but Logon Failures not showing up
>
>
> Thanks for your reply Dave,
>
> I did the search on microsoft and could not find much info to my specific
> problem, i did find links with regards to different event problems but not
> to mine.
>
> In google , there was a ssimilar problem but there was no mention of a
> solution:
> http://groups.google.com.au/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&newwindow=1&t
> hreadm=3BF5AFE5.C2B7A7CC%40columbiaSPAM.SUCKSedu&rnum=17&prev=/groups%3Fq%3D
> Security%2BEvent%2BUnsuccessful%2BLogin%2BAttempt%26start%3D10%26hl%3Den%26l
> r%3D%26ie%3DUTF-8%26oe%3Dutf-8%26newwindow%3D1%26selm%3D3BF5AFE5.C2B7A7CC%25
> 40columbiaSPAM.SUCKSedu%26rnum%3D17
>
>
>
> Anyone out there can help ?
>
> thenile
>
>
>
>
> > -----Original Message-----
> > From: dave kleiman [mailto:dave@netmedic.net]
> > Sent: Tuesday, October 21, 2003, 2:32 PM
> > To: thenile@ziplip.com, focus-ms@securityfocus.com
> > Subject: RE: Auditing enabled but Logon Failures not showing up
> >
> > Thenile,
> >
> >
> > Try looking it up with the words "Security Event Unsuccessful Logon
> > Attempt" in the advanced search on MSFT support, it should yield what
> > you are looking for. That would be the proper terminology in MSFT's
> > world. Make sure you set it to ALL OF THE WORDS entered, or you might
> > end up with a google of hits.
> >
> > If you do not find the answer reply back and maybe I can find
> > something for you.
> >
> >
> >
> > _____________________
> > Dave Kleiman
> > secure@netmedic.net
> > www.SecurityBreachResponse.com
> >
> > "High achievement always takes place in the framework of high
> > expectation." Jack Kinder
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: thenile@ziplip.com [mailto:thenile@ziplip.com]
> > Sent: Monday, October 20, 2003 22:23
> > To: focus-ms@securityfocus.com
> > Subject: Auditing enabled but Logon Failures not showing up
> >
> >
> > Hi,
> >
> > Two NT 4 (SP 6 a) domains with a trust relationship from one to the
> > other. If a user (running win 2k SP4 with latest updates) tries to
> > logon to either of the domains with a wrong password, no failure
> > events show up on the PDC or BDC.
> >
> > Successful logons/log offs do show up in the event logs.
> > However if a user tries to logon to his specific machine (Choose this
> > machine form the drop down menu) with a wrong password a failure event
> shows
> > up in the PDC logs.
> >
> > Auditing is enabled on both domains and log on and log offs success
> > and failures are both ticked in the auditing section on both domains.
> >
> >
> > I am not sure if this started happening recently or it has always been
> > like this.
> >
> > Any ideas would be greatly appreciated.
> >
> > Thank you.
> >
> > thenile
> >
> >
> >

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
---------------------------------------------------------------------------

• Previous message: Frank Heyne: "RE: Auditing enabled but Logon Failures not showing up"
• Maybe in reply to: thenile_at_ziplip.com: "Auditing enabled but Logon Failures not showing up"
• Next in thread: Frank Heyne: "RE: Auditing enabled but Logon Failures not showing up"
• Reply: Frank Heyne: "RE: Auditing enabled but Logon Failures not showing up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]