Advertisement

05.09.2008 at 08:34AM PDT, ID: 23389767 | Points: 500
[x]
Attachment Details

Workstations show no audit trails for logon attempts

Zones: Network Auditing Software, Miscellaneous Security, Windows 2003 Server
Tags: Local Account Logon Audits
When reviewing the security logs for one of my DC's, I noticed an Unknown username or bad password failed attempt for an account. On the DC, the security log shows that it generated 130 attempts within a few minutes. I connected to the worksation to review the security logs and saw no failed attempts. I did see the account logon, but it was a few minutes before the logs on the DC showed the failed attempts.

It shows that the logon type was 2 (interactive), and it has an551 (user initiated logoff) that follows 20min after, making it almost 99.9% sure that a user logged on with the account and clicked log off.

How could 130 attempts appear on a DC log while the workstation shows no traces (the log has not been cleared within the past 2 years)

Start your free trial to view this solution
Question Stats
Zone: Security
Question Asked By: cashewx
Question Asked On: 05.09.2008
Participating Experts: 1
Points: 500
Views: 0
Translate:
Loading Advertisement...
05.09.2008 at 09:01AM PDT, ID: 21534213

Rank: Sage

richrumble:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.09.2008 at 09:34AM PDT, ID: 21534490
cashewx:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
20080236-EE-VQP-29 / EE_QW_2_20070628