4 Replies Latest reply on Nov 16, 2015 11:04 AM by dowshirley

    Critical Account Logon Failure

    dowshirley

      Greetings,

       

      I came across a thread (https://thwack.solarwinds.com/thread/66209) that described a modified filter that would be good at catching someone trying to guess user passwords without locking accounts.  I created a filter, and as a test I had one of the schema/domain/enterprise admins attempt a logon but purposely fat finger the password. Nothing was caught.  I'm a LEM newb, so is there a more experienced LEM-er (or is it LEM-ming?) that could check my filter below and let me know where I may have gone astray?  I first built this with the UserLogonFailure.DestinationAccount events, but that wasn't catching anything, so I added the UserLogonFailure.SourceAccount events, but that didn't catch anything either.

       

      If this looks ok (<gasp> which I doubt), could there be an Audit Policy that is not turned on?

       

      Thanks!

        • Re: Critical Account Logon Failure
          nicole pauls

          Your filter will look for any username in any of those AD groups or the "Admin Accounts" user-defined group to appear as the Source or DestinationAccount of a UserLogonFailure event. It might not be pretty, but it should work.

           

          Logon failures are a tricky beast where you have to have agent/log capture presence on the endpoint people are logging on TO to get the full detail. Sometimes things will get pushed back to AD so coverage on the DCs is still important (and might catch it in some detail as well). Where was the person testing the logon failure? On a server with an agent or on their workstation?

           

          Next thing would be to make sure you're seeing Logon Failures at all from your infrastructure, especially DCs. It's possible the audit policy does need to be tweaked, so you can test with Logon Failures and/or check the audit policy directly. Make sure that the logon related audit policies are at least set to 'failure' so you'll catch failures.

           

          It's possible the way those account names are being logged in the failures you are catching isn't quite matching how the usernames appear in the groups, but that seems less likely than either the events aren't being generated or aren't being caught. You could also check the event logs directly on the system/DCs to see if any failures were generated (that would mostly tell you your LEM-side config needs love rather than your audit policy).

            • Re: Critical Account Logon Failure
              dowshirley

              Thanks for the feedback Nicole, this has given me a few options to look into.  I did manage to capture some logs with the filter last week. After thinking about it, they have a pleasant consequence.  When a user logs into a machine using the local administrator account (yes, I know, whole 'nother can of worms), the machine then tries to hit the domain, which fail, thus lighting up the filter.  So now I'm seeing those users that are making successful local administrator logins.

            • Re: Critical Account Logon Failure
              curtisi

              On your DC(s), open an Admin command prompt and try this command:

               

              auditpol /get /category:"Logon/Logoff"

               

              What are the results?  Are there LEM agents on your DC(s)?