Re: Authentication Auditing

From: Brad Baker (brad_at_nospam.nospam)
Date: 10/21/05 

Date: Fri, 21 Oct 2005 16:19:55 -0400

Steven -

I think I am either misunderstanding your answer or you aren't understanding
my question :-) Perhaps an example would clarify.

We have two domain controllers: DC1, DC2
A whole bunch of domain workstations: IIS1, IIS2, IIS3
All of the machines above are part of a domain - lets call it dom1.

"Audit account logon events" and "Audit logon events" are enabled for
success and failures in the domain security policy for dom1.

Now lets say that I attempt to log into a secure website on IIS1 using the
dom1\administrator account and it fails.
I do see an event in the DC1 or DC2 security log. (So far so good)

Now I attempt to log into the same secure website on IIS1 using
IIS1\administrator.
I don't see an event in DC1, DC2 or IIS1 security log. What do I need to do
to make sure this event gets logged?

Thanks!
Brad Baker

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:F7CdnbW54LY82sTeRVn-uw@comcast.com...
> You have to enable auditing of "logon events" for the domain computers
> which could be done in Domain Security Policy. Then you will see a type 2
> logon event recorded when a domain user logs onto the domain computer in
> that domain computer's security log. The reason "audit logon events" does
> not work for domain computers is because the account logon event is only
> recorded on the computer that authenticates the user which is a domain
> controller for domain users. --- Steve
>
>
> "Brad Baker" <brad@nospam.nospam> wrote in message
> news:e2vu5dn1FHA.164@TK2MSFTNGP10.phx.gbl...
>> We are trying to ensure that we have auditing enabled for all login
>> attempts
>> to either domain or local machine accounts.
>>
>> I believe that we have enabled auditing for domain level accounts through
>> GPO. We have enabled "audit account logon events" and "audit logon
>> events"
>> under Local Policies -> Audit Policy. I am seeing login attempts for
>> domain
>> accounts on our domain controller's security logs but I am not seeing
>> login
>> attempts for local accounts either in the domain controller's security
>> logs
>> or on the local machine security logs.
>>
>> How do we enable logging of authentication attempts against local (not
>> domain) accounts? Is this another GPO setting? Are we looking in the
>> wrong
>> place? Alternatively, is there a setting at the local machine level that
>> needs to be set? Any information or assistance would be appreciated.
>>
>> Thanks,
>> Brad Baker
>>
>
>

Relevant Pages

  • Security breach
    ... goal is to perform forensics work. ... >accounts without going through due procedure. ... Even if someone knows my user admin password ... >be able to tell from the security log: ...
    (microsoft.public.security)
  • Re: Local System Account & Network Access
    ... check the security log on the server that has the administrator share to see ... yet on planning security for service accounts. ... -- The Services and Service Accounts Security Planning Guide ... send commands to the service instructing it to install software packages ...
    (microsoft.public.security)
  • Re: Unable to view system Security Log
    ... > on it and I'm unable to view the security log. ... > administrative privileges on the local machine (the machine was part of a ... but now it operating in its own work group). ... > security settings back to default, but that doesn't appear to have any effect. ...
    (microsoft.public.win2000.security)
  • Re: Security breach
    ... Annita wrote: ... > accounts without going through due procedure. ... > be able to tell from the security log: ... > d) what other possibilities should I be investigating, ...
    (microsoft.public.security)
  • Re: Monitoring share usage.
    ... the easiest way is to filter the view. ... Right click Security log ... accounts appearing in the Security event viewer. ... Is there a way to just audit a group of people and not have other accounts ...
    (microsoft.public.windows.server.networking)