RE: Auditing enabled but Logon Failures not showing up

thenile_at_ziplip.com
Date: 10/27/03

  • Next message: Thor: "Re: Terminal Services Auditing?" 
    Date: Sun, 26 Oct 2003 23:54:50 -0800 (PST)
To: fh@rcs.urz.tu-dresden.de, focus-ms@securityfocus.com

    > > Step 3: Joes tries to logon on with wrong password and staright away tries
    > > to log on with right password, event 529 show up on DCs.
    >
    > I assume even when Joe does log on with the right password first,
    > you get a 529 on the DC?

    NO, nothing shows up in the DCs logs when there is a succesfull local login. The only account which exists locally on all machines is the renamed Admin account, all users are domain users. I have only created local users for testing and they do not map any shares. By the way, the local users have different usernames from the domain users.

    When Dave mentioned the specific event id's, I thought he was only after the id and not the event, sorry about that so here is the event which shows in the DCs when trying to log on to a local machine with the wrong password:
    --------------------------------Event id 529 -------------------
    Logon Failure:
             Reason: Unknown user name or bad password
             User Name: thenileLocalAcct
             Domain: thenileLocalMachine
             Logon Type: 3
             Logon Process: KSecDD
             Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
             Workstation Name: \\thenileLocalMachine

    ------------------------------Event id 528 ---------------------
    When a client logs on succefully to the domain, this shows up:
    Successful Logon:
             User Name: thenileDomainAcct
             Domain: DomainName
             Logon ID: Logon ID removed
             Logon Type: 3
             Logon Process: KSecDD
             Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
             Workstation Name: \\thenileLocalMachine

    -----------------------------------------------------

    So again, my main problem is that when a user tries to log on to the domain with the wrong password No events are showing up. After that person tries for n times, his/her account gets locked out as per setting in the policies in the user manager.

    From the google post I included previously it seems that other people have exeperienced the same problem. I have also received two different emails of ppl asking if I managed to get answers for this problem because they are facing the same issue.

    If I have omitted any details, please let me know and I will provide it.

    Your help is greatly appreciated.

    Thenile

     
    > The reason could be:
    > On some earlier session, Joe did make a network connection to the DC.
    > This connection used another account, because a local account normally
    > can't connect to the DC. Joe did use the option "reconnect again..."
    > Now when Joe logs on again, the WS tries to reestablish the connection
    > to the network share, but it has no or the wrong password.
    >
    > If my assumption is wrong, you really should provide the entire output of
    > the 529 event on the DC, as other members on the list already
    > suggested.
    >
    >
    >
    > Frank Heyne
    >
    >

    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security

    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console

    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
    ---------------------------------------------------------------------------

  • Next message: Thor: "Re: Terminal Services Auditing?"

    Relevant Pages

    • RE: Down with DHCP!!!!
      ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
      (Security-Basics)
    • RE: security not a big priority?
      ... But I have found that upper management will only ... and push out the changes; management has to have this information to ... Network Security Engineer ... Network team with Project Management tasks. ...
      (Security-Basics)
    • Re: Down with DHCP!!!!
      ... going to staic IP's would be a management nightmare ... (speaking as someone who managed a static IP network ... Security is always a compromise; ... Computer Emergency Response Teams, and Digital Investigations. ...
      (Security-Basics)
    • RE: Terminal Services Auditing?
      ... displaying them in 'Terminal Services Manager' snap-in. ... Better Management for Network Security ...
      (Focus-Microsoft)
    • Re: Log management software for Windows
      ... Log management software for Windows ... I want to retain security and event log data on a Windows machine that is ... for example: the IDS log from my firewall. ... Better Management for Network Security ...
      (Security-Basics)
    Loading