Re: Alerting on Failed Audits

From: mherchel (n/a)
Date: 01/25/05 

Date: Tue, 25 Jan 2005 13:51:01 -0500

"MS recommends no less than ten bad attempts assuming you are also enforcing
complex passwords"

Steve... just out of curiosity, where did you get this info from?

Thanks,
Mike

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uTFIOanAFHA.2572@TK2MSFTNGP10.phx.gbl...
> You can use Event Comb to scan your dc security logs for failed account
> logons. It is free from Microsoft. For alerts you need other alternatives
> such as GFI from Languard. Account lockouts can be caused by many things
> other than hacking and if your firewall is configured properly and you
> have proper malware protection and host hardening then it would be a rare
> occurrence from outside the network and fairly easy to trackdown within
> the network. Networks that implement account lockout policy often have the
> threshold to low and MS recommends no less than ten bad attempts assuming
> you are also enforcing complex passwords. I would also enable auditing of
> account management for Domain Controller Security policy and Domain
> Security Policy if you need to track down account lockouts as more useful
> events will then be recorded on domain controllers and the computer where
> the lockout occurred. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
> Comb
> http://www.gfi.com/nsm/
>
> "Ferdie" <ferdie@insane.com> wrote in message
> news:uRSKrlmAFHA.1396@tk2msftngp13.phx.gbl...
>>I would like to get alerts or reports whenever my DC's get a Failure
>>Audit. My goal is to identify when and why user accounts get locked out,
>>and if there is a hack attempt.
>>
>> Is there a way to gather the logs on my DC's and reports on the failures?
>> I'm just looking for the easiest way for now, since we will be
>> implementing an environmental monitoring service later.
>>
>> Thanks,
>> Ferdie
>>
>
>