RE: help determining source of logon failure audits

Jesper" wrote:

Account logon events and Logon events generate pretty much the same
informaiton on a stand-alone. Account logon events is the act of
authenticating against an account. Logon events is logging onto the computer.
If you are domain joined, the former are logged on the DC and the latter on
the client, for domain logons.

These, however, are much simpler. You have the "Fast User Switching" screen,
correct? The one which lists all the accounts? When you click on an account
Windows needs to know whether to show you a password box or not. To determine
that it tries to log the account on with a blank password. If the account has
a password that logon fails and it shows you the password box. This will,
however, generate a logon failure audit event.


I know about this - it doesn't describe what I'm seeing.
In any case, Fast User Switching has always been on, but these events
only started appearing about a week ago.

"josh rubin" wrote:

Jesper" wrote:

What is the logon type in the event? Logon type 10 is RDP. 3 would be network
(i.e. Windows networking). Are you sure these are attempts to log on via RDP?

There is no logon type 6a. They are all numeric, and start with 2.

Your answer made me realize that I had logging enabled for
"Account Logon Events" but not "Logon Events"

Below are the events I am *now* logging, and two typical "Account Logon
Events". Let me know if I should enable more events.
--------------
Policy Security Setting

Audit object access Failure
Audit directory service access No auditing
Audit process tracking No auditing
Audit privilege use No auditing
Audit system events No auditing
Audit account logon events Success, Failure **** NEW ****
Audit account management Success, Failure
Audit policy change Success, Failure
Audit logon events Success, Failure
-------------

Here are two typical events from my log:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/3/2007
Time: 11:36:44 PM
User: NT AUTHORITY\SYSTEM
Computer: RAVEN
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Josh
Source Workstation: RAVEN
Error Code: 0xC000006A


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/3/2007
Time: 11:38:44 PM
User: NT AUTHORITY\SYSTEM
Computer: RAVEN
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Josh
Source Workstation: RAVEN
Error Code: 0xC0000234



.

Relevant Pages

  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Account Lockout
    ... My account has been locked out. ... Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ... Source Workstation: NET-ADMIN ... Error Code: 0xC000006A ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: Question about log entries
    ... >Looks like an automated tool to me, given that each logon ... A friend had these entries show up in his IIS server ... was unable to logon the Windows NT account 'account' due ... The data is the error code. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is it really true that NTFS is secure?
    ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ...
    (microsoft.public.security)