Solved

Where Are Active Directory Security Logs?

Posted on 2004-04-07
13
885 Views
Last Modified: 2013-12-04
Simple question: I recently set up a Windows 2000 Active Directory for a small office.  It has worked well except for a couple of user accounts that got locked out for unknown reasons.  My policy allows up to 5 bad logins within an hour before locking out an account and nobody remembers typing bad passwords.  (Nobody ever does...  :-)  )  Anyway, back in the old days of Win NT 4, I would just go to the event log on the domain controller and see when the bad logins occurred.  On Win2k, however, I'm not seeing anything relating to AD logins on the event log.  I'm pretty sure I have auditing turned on for all of the appropriate AD events.  Where would I look for logs of these AD events?

--> Daryl Shockey
0
Comment
Question by:dshockey
  • 8
  • 3
  • 2
13 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 125 total points
ID: 10775449
As you should be looking in the Event Log Security? are you sure the policy is applied?

For LOCAL POLICY
You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

For GROUP POLICY

Open Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object (GPO) that you want to edit. You can also click New to create a new GPO, and then click Edit.
In the console tree, click Audit Policy.
Where?

Computer Configuration
Windows Settings
Security Settings
Local Policies
Audit Policy
In the details pane, double-click an event category that you want to change the auditing policy settings for.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.


Logon Events
Event ID Description
528 A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530 Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.
531 Logon failure. A logon attempt was made using a disabled account.
532 Logon failure. A logon attempt was made using an expired account.
533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534 Logon failure. The user attempted to log on with a type that is not allowed.
535 Logon failure. The password for the specified account has expired.
536 Logon failure. The Net Logon service is not active.
537 Logon failure. The logon attempt failed for other reasons.
Note: In some cases, the reason for the logon failure may not be known.
538 The logoff process was completed for a user.
539 Logon failure. The account was locked out at the time the logon attempt was made.
540 A user successfully logged on to a network.
541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.
542 A data channel was terminated.
543 Main mode was terminated.
Note: This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.
 
544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
545 Main mode authentication failed because of a Kerberos Kerberos
An authentication mechanism used to verify user or host identity. The Kerberos V5 authentication protocol is the default authentication service. Internet Protocol security (IPSec) can use the Kerberos protocol for authentication.failure or a password that is not valid.
546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.
547 A failure occurred during an IKE handshake handshake
A series of signals acknowledging that communication can take place between computers or other devices. A hardware handshake is an exchange of signals over specific wires (other than the data wires), in which each device indicates its readiness to send or receive data. A software handshake consists of signals transmitted over the same wires used to transfer data, as in modem-to-modem communications over telephone lines..
548 Logon failure. The security ID (SID) security ID (SID)
A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.from a trusted domain does not match the account domain SID of the client.  
549 Logon failure. All SIDs corresponding to untrusted namespaces namespaces
A naming convention that defines a set of unique names for resources in a network. For DNS, a hierarchical naming structure that identifies each network resource and its place in the hierarchy of the . For WINS, a flat naming structure that identifies each network resource using a single, unique name.were filtered out during an authentication across forests.
550 Notification message that could indicate a possible denial-of-service attack denial-of-service attack
An attack in which an attacker exploits a weakness or a design limitation of a network service to overload or halt the service, so that the service is not available for use. This type of attack is typically started to prevent other users from using a network service such as a Web server or a file server..
551 A user initiated the logoff process.
552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.
Note: This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.
 
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type. Logon type Logon title Description
2 Interactive A user logged on to this computer.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).  
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.


0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775540
>"Nobody ever does...  "

Maybe you are being troubled by virus/spyware/trojans/backdoors ??? Test and remove !!!

Protect yourself with a solid solution

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775547
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp

If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317

If you want to secure your company's workstations in the future, consider to purchase OfficeScan:
http://www.trendmicro.com/en/products/desktop/osce/evaluate/features.htm

If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from
http://www.trendmicro.com/en/products/global/enterprise.htm

Virus Information Alliance (VIA)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/via.asp

Review of the best antivirus solutions:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html?tag=dir-av&pn=1&ob=3&qt=&qn=&F2=0&F3=0&sm=0

SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775560
Getting a personal Firewall
http://www.zensecurity.co.uk/default.asp?URL=personal

Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za

Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm

Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view

The Internet Connection Firewall Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;en-us;298804
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775565
Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775568
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp - portlist

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Internet Storm Center - Input portnumber and press GO
http://isc.incidents.org/port_details.html?port=

IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10775572
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan

How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775582
Also remember to patch up with latest hotfixes...

About Windows Update (SUS)
http://v4.windowsupdate.microsoft.com/en/about.asp

Download and install Microsofts automatic update server (also known as SUS)
http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp
0
 
LVL 1

Author Comment

by:dshockey
ID: 10775583
I just checked and auditing for success and failure of both "Account Logon" and "Logon" is turned on at all levels:
  - Local Security Policy
  - Domain Security Policy
  - Domain Controller Security Policy
  - Group Policy for organizational unit in which all users exist

When I run the event viewer (eventvwr) on the AD domain controller, I do not see *any* entries in the Security Log.  All other logs have entries in them.

--> Daryl Shockey
0
 
LVL 1

Author Comment

by:dshockey
ID: 10775604
I'm borderline psychotic about keeping up-to-date with service packs and hotfixes.  While I certainly won't dismiss the possibility of it being a virus/trojan horse, the fact remains that I have no way of determining which machine contains the offending program because I have no log of when or where the bad login attempt occurred.

--> Daryl Shockey
0
 
LVL 1

Author Comment

by:dshockey
ID: 10775672
I spoke too soon earlier.  It turns out that I am now getting audit trails which I didn't get earlier.  I'm not sure which setting worked (since I modified a few at the same time).  But I can figure that part out now.

Thanx Petelong!

trywaredk:  These are supposed to be meaningful dialogues.  Your comment about the possiblity of it being a virus or trojan horse was good.  The *really* extensive list of links that followed was not and would only frustrate somebody trying to enter into this thread.  Please don't bomb threads with url lists like this.  Make a web page that has all of these links and post one url to that web page.

--> Daryl Shockey
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10775840
Thanks Daryl Glad You got there (Even if your not sure how)

Pete
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10781864
>"Make a web page that has all of these links and post one url to that web page"

:o) What a great idea - thank you
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: DSHOCKEY - Please comment here:
http://www.experts-exchange.com/Security/Win_Security/Q_20947518.html
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now