akyuen
asked on
how to track the source of audit failures?
Our domain controller is windows 2008 R2. Lately, I've been noticing many audit failures under the security logs and corresponding directory service errors (error 12294) under the system logs. The system error states that the administrator account cannot be locked out. I've copied the audit failure result below:
How can I track down the source of the failed attempts?
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: our domain controller$
Account Domain: our domain
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: our domain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x230
Caller Process Name: C:\Windows\System32\lsass. exe
Network Information:
Workstation Name: our domain controller
Source Network Address: address of our sonicwall
Source Port: 1559
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Under details, I get:
- System
- Provider
[ Name] Microsoft-Windows-Security -Auditing
[ Guid] {54849625-5478-4994-A5BA-3 E3B0328C30 D}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2014-09-15T00:48:06.692639 500Z
EventRecordID 112677147
Correlation
- Execution
[ ProcessID] 560
[ ThreadID] 3592
Channel Security
Computer our domain controller
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName our domain controller$
SubjectDomainName our domain
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName Administrator
TargetDomainName our domain
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc000006a
LogonType 3
LogonProcessName Advapi
AuthenticationPackageName MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
WorkstationName our domain controller
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x230
ProcessName C:\Windows\System32\lsass. exe
IpAddress the address of our sonicwall
IpPort 1559
How can I track down the source of the failed attempts?
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: our domain controller$
Account Domain: our domain
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: our domain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x230
Caller Process Name: C:\Windows\System32\lsass.
Network Information:
Workstation Name: our domain controller
Source Network Address: address of our sonicwall
Source Port: 1559
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Under details, I get:
- System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2014-09-15T00:48:06.692639
EventRecordID 112677147
Correlation
- Execution
[ ProcessID] 560
[ ThreadID] 3592
Channel Security
Computer our domain controller
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName our domain controller$
SubjectDomainName our domain
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName Administrator
TargetDomainName our domain
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc000006a
LogonType 3
LogonProcessName Advapi
AuthenticationPackageName MICROSOFT_AUTHENTICATION_P
WorkstationName our domain controller
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x230
ProcessName C:\Windows\System32\lsass.
IpAddress the address of our sonicwall
IpPort 1559
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ensure that all shares on this particular machine are disabled till you sort out this issue
Network Information:
Workstation Name: our domain controller
Source Network Address: address of our sonicwall
Source Port: 1559
The network info should give info about where the login attempt originated from
Workstation Name: our domain controller
Source Network Address: address of our sonicwall
Source Port: 1559
The network info should give info about where the login attempt originated from
ASKER
The network information shows that the workstation name is my domain controller and that the source network address originates from my sonicwall. Does that mean that there's a network connection trying to log on directly into my domain controller?
ASKER
there are no shared drives or folders on the domain controller.
ASKER
What I'm confused about is whether this is an attempt to log into the domain controller or is something trying to access a shared file or folder on another server (perhaps my file server), which is AD integrated.
have you tried my first comment : check and correlate with the event log for events happening around the same time
The attempt has definitely originated at the workstation identified by the "workstation" under Network Information. An event id of 4625 could also mean a failed attempt to just access a shared file/folder
The attempt has definitely originated at the workstation identified by the "workstation" under Network Information. An event id of 4625 could also mean a failed attempt to just access a shared file/folder
ASKER
There's nothing in the event log on the domain controller that correspond to the frequency or duration of these errors.
The source of these errors could be anything, the below is what I'm familiar with
1)ftp login failures. Check your ftp log
2)login via basic authentication over http/https....potentially dangerous if its unauthorised
3)ASP scripts
1)ftp login failures. Check your ftp log
2)login via basic authentication over http/https....potentially dangerous if its unauthorised
3)ASP scripts
Check the frequency and timing of these login failure logs. That might also give you a clue as to the source
ASKER
I get an audit failure every 7 seconds...
so its probably an automated task/cron job that's running periodically on the DC
i would also recommend looking at the Application log for entries occurring at about the same time