Microsoft’s Windows Event Viewer shows a log of system and application messages. These messages include errors, warnings, and information about certain events that can be scrutinized by the administrator to help troubleshoot problems. Administrators and regular users can open the Event Viewer on a local or remote machine, assuming they are authorized to do so. To open on your local Windows machine, simply type “Event Viewer” into the search box at the bottom of the screen, and the option to open it should appear. Audit failures are typically generated when a logon request fails, although they can also be generated by changes to accounts, objects, policies, privileges, and other system events.
An audit policy defines the types of events that are recorded in the Security logs. Each company will be responsible for establishing its own audit policy, based on the threats they face, and their ability to mitigate them. However, Windows will recommend settings that can be used as a baseline for system administrators to work from. An effective audit policy will help admins identify potential security issues, monitor user activity, satisfy compliance requirements, and carry out forensic investigations following a security incident.
Audit Policy Categories
There are 9 audit policy categories and 50 audit policy subcategories in the Basic Audit Policy settings, which can be enabled or disabled accordingly. Audit policies generate events, which can be Success events, Failure events, or both. All audit policies will generate Success events; however, only a few of them will generate Failure events. Below is a list of the 9 audit policy categories;
- Audit account logon events
- Audit logon events
- Audit account management
- Audit directory service access
- Audit object access
- Audit policy change
- Audit privilege use
- Audit process tracking
- Audit system events
As mentioned previously, audit failures usually relate to failed logon attempts, and the two most common events are; Kerberos pre-authentication failed and An account failed to log on, which are described in more detail below.
Event ID 4771 for Kerberos pre-authentication failed
This event is only generated on domain controllers and is not generated if the “Do not require Kerberos preauthentication” option is set for the account. According to Microsoft’s website, “this event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT)”, which might occur if “the domain controller doesn’t have a certificate installed for smart card authentication, the user’s password has expired, or the wrong password was provided”. For more information about how to resolve this problem checkout the security monitoring recommendations for Event ID 4771 on Microsoft’s website.
Event ID 4625 for An account failed to log on
This event is generated when an account logon attempt failed, assuming the user was already locked out. This event will be generated on the device that was used for the logon attempt, in addition to any other relevant domain controllers and member servers. For more information about how to resolve this problem checkout the security monitoring recommendations for Event ID 4625 on Microsoft’s website.
Use the Advanced Audit Policy Configuration
There are two types of audit policies that you can configure; The Basic Audit Policy and the Advanced Audit Policy, which you can find in Security Settings\Advanced Audit Policy Configuration. There are 53 Advanced Audit Policy categories, as opposed to the 9 categories provided with the Basic Audit Policy settings. As such, it is generally recommended that you use the Advanced Audit Policy settings as they allow you to define a more granular audit policy and log only the events that are relevant to you. This is particularly helpful if you find yourself generating a large number of logs.
Alternatives to using Event Viewer
It’s worth noting that there are a number of third-party failed logon auditing solutions that will aggregate and correlate event data from a wide-range of sources, including any cloud-based services you use.
If you need to collect and analyze data from firewalls, Intrusion Prevention Systems (IPS), devices, applications, switches, routers, servers, and so on, then you would probably be better off with a SIEM solution.
However, most organizations are more interested in keeping track of user behavior, especially if their employees are accessing the network from remote locations. In which case a UBA (User Behavior Analytics) solution would be a better choice
These solutions will display a summary of all important events surrounding your privileged user accounts and sensitive data, via a centralized dashboard, and deliver real-time alerts to your inbox or mobile app.