• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Win2K3 Authentication Log?

1) Are there logs for failed authentication (or all authentication)?
2) If yes, where?
3) Would the same log cover VPN connections and OWA?
0
HilltownHealthCenter
Asked:
HilltownHealthCenter
  • 3
  • 3
1 Solution
 
PeteJThomasCommented:
If you check the event logs (security log I think) on the domain controller, you should see something there. I can't remember default settings, I know it doesn't show all authentication success and failure by default, as you would need to enable success and failure auditing manually, but I have a feeling that by default it logs log on failure events...

Take a look at the audit policy on the DCs, see what it's set to... Or just look through the sec logs on the DC, see what you can find.

Details here - (logon types, event IDs etc) - http://www.windowsecurity.com/articles/Logon-Types.html
0
 
HilltownHealthCenterAuthor Commented:
The security properties filter has all 5 types of event checked (success, failure, etc.).  I tried the following test:

Cleared the security events viewer
Logged off the DC
Attempted to log into the DC using bad PW (failed, 4 time sequentially)
Logged into the DC using the correct PW
Checked the Security Event log.

There are only successes listed in the log, no records of failure.
0
 
PeteJThomasCommented:
Very sorry, this question got lost and I've only just spotted it again.

What you said above is correct - It doesn't matter what the security filter says, as unless the events are audited in the first place, they won't show up in the logs regardless of the filter settings.

You can find the auditing policy settings within the group policy management console - You need to find the 'Default Domain Controller' policy, and look at the settings for:

Computer Config > Windows Settings > Security Settings > Local Policies/Audit Policy

This is where it's specified what the DCs will actually audit. Specifically you want to look at the setting for Logon Events, and ensure success, failure etc etc is selected. Once this is done, the DCs will actually start auditing these events, and then you will be able to view them in the Security log on the DCs. :)

Again, I'm very sorry about the delayed response, I'll be monitoring this carefully now for any further questions...

Pete
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
HilltownHealthCenterAuthor Commented:
Thanks for the additional information. I found the settings, and only success is listed in the "Audit account logon events". Now I see that I can change it to "failure", but then I lose the success audit. How can I add a new policy to audit both type events?
0
 
HilltownHealthCenterAuthor Commented:
I now see that both success and failure can be checked in the same policy.
Thank you.
0
 
PeteJThomasCommented:
You're welcome, once again, I'm sorry I lost track of this question before!

Take care,

Pete
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now