RE: Event Log messages for failed logon attempts

From: Drew Hunt (Drew_at_Valleymed.org)
Date: 10/27/03

  • Next message: Thor: "Re: Terminal Services Auditing?"
    Date: Mon, 27 Oct 2003 09:31:31 -0800
    To: "Sean Warnock" <swarnock@warnocksolutions.com>, <FOCUS-MS@SECURITYFOCUS.COM>
    
    

    This is a little better since it gives you logon types.
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
    echnol/windowsserver2003/proddocs/standard/518.asp

    Or http://tinyurl.com/p4ve

    There is quite a lot of info out there on failed logons. What I would
    like to know is when someone locks their machine. That doesn't seem to
    trigger anything in the event logs. But I don't want to audit every
    object access. Any ideas?

    Drew

    -----Original Message-----
    From: Sean Warnock [mailto:swarnock@warnocksolutions.com]
    Sent: Saturday, October 25, 2003 7:59 AM
    To: FOCUS-MS@SECURITYFOCUS.COM
    Subject: Event Log messages for failed logon attempts

           I am currently working on a small script that will parse the
    event logs of a Windows NT/2000/2003 domain controller looking for
    failed logon attempts. I am currently aware of event log message 529. I
    believe that I have been able to generate several other error messages
    for failed logon attempts depending upon what a client is using to
    authenticate with (ex. Kerberos, NTLM, etc...). Does anyone have any
    other input or articles that they would suggest as the only KB article
    that I have found so far was 299475.

    Sean

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Thor: "Re: Terminal Services Auditing?"