Print Friendly
Comments

Monitoring Active Directory Login Failures & Account Lockouts

Keep abreast of failed login attempts and account lock-outs for the purpose of intrusion detection or timely user support.

DISCLAIMER: The information provided herein is intended as an example only. No representation is made as to its accuracy, completeness or suitability for a particular purpose or platform (see also the Winserver Wingman EULA). Please test your own implementation thoroughly in the specific environment within which it need function and ensure that it operates as required.

Tested On: Windows Server 2012 R2 Domain Controller (Active Directory Domain Services Role)

Local Policy Requirements

It is first necessary to ensure the relevant events will be written to a Domain Controller's event log. Open the Local Group Policy Editor on the server (via the gpedit.msc MMC snap-in) and browse to; Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. Set the following policy security settings:

  • Audit account management: Success
  • Audit logon events: Failure
For more information see the Microsoft TechNet article; Maintaining & Monitoring Account Lockout and also; Event IDs for Windows Server 2008 and Vista Revealed.

Task Configuration

A test primarily intended to audit possible intrusion attempts probably need only be run daily. To assist users who're having difficulty logging-in (with a password reset or by revoking a lock-out) you'll likely want to configure the task to run at a relatively high frequency.

If it were sufficient to treat both events the same in terms of test frequency and alert behaviour one might configure a single task to check for either (illustrated below). Differentiating alert levels would necessitate two tasks to check for each separately as both events are logged with the same Information level.

Check for failed logins and account lockouts every 5 minutes.

Task Parameters

Task Type: Check the Event Logs

Frequency: 5 Minutes

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Level/IDs (on Server 2008+): 4625 (Login Failure) & 4740 (Account Lockout)

CAUTION On: (event) ...was posted since last checked.


5 October 2015