RE: Event Log messages for failed logon attempts
From: Drew Hunt (Drew_at_Valleymed.org)
Date: 10/27/03
- Previous message: Erik Birkholz: "RE: Terminal Services Auditing?"
- Maybe in reply to: Sean Warnock: "Event Log messages for failed logon attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Oct 2003 09:31:31 -0800 To: "Sean Warnock" <swarnock@warnocksolutions.com>, <FOCUS-MS@SECURITYFOCUS.COM>
This is a little better since it gives you logon types.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echnol/windowsserver2003/proddocs/standard/518.asp
There is quite a lot of info out there on failed logons. What I would
like to know is when someone locks their machine. That doesn't seem to
trigger anything in the event logs. But I don't want to audit every
object access. Any ideas?
Drew
-----Original Message-----
From: Sean Warnock [mailto:swarnock@warnocksolutions.com]
Sent: Saturday, October 25, 2003 7:59 AM
To: FOCUS-MS@SECURITYFOCUS.COM
Subject: Event Log messages for failed logon attempts
I am currently working on a small script that will parse the
event logs of a Windows NT/2000/2003 domain controller looking for
failed logon attempts. I am currently aware of event log message 529. I
believe that I have been able to generate several other error messages
for failed logon attempts depending upon what a client is using to
authenticate with (ex. Kerberos, NTLM, etc...). Does anyone have any
other input or articles that they would suggest as the only KB article
that I have found so far was 299475.
Sean
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: Erik Birkholz: "RE: Terminal Services Auditing?"
- Maybe in reply to: Sean Warnock: "Event Log messages for failed logon attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
