You are on page 1of 21

Windows Log Monitoring

Best Practices for Security and Compliance

Table of Contents
Introduction ................................................................................................................................................... 3
Overview ....................................................................................................................................................... 4
Major Security Events and Policy Changes .................................................................................................. 6
Major Security Events and Policy Changes Active Directory and Member Server................................ 6
Active Directory and Member Server Compliance Events of Interest ........................................................... 8
Active Directory General Object Changes ................................................................................................ 8
Active Directory and Local Server Group Member Additions ................................................................... 9
Active Directory and Local Server Group Member Deletions ................................................................. 11
Active Directory and Local Users New or Enabled ................................................................................. 12
Active Directory and Local Users Deleted or Disabled ........................................................................... 13
Active Directory Group Policy Change .................................................................................................... 13
Active Directory Permission Changes ..................................................................................................... 15
Active Directory and Local User Account Lockouts and Password Resets ............................................ 16
Active Directory and Local Server Other Users, Groups and Computers Changes ............................ 17
Authentication and Logons Compliance Events of Interest ........................................................................ 19
Domain Account Authentication .............................................................................................................. 19
Domain Account Authentication Failure Analysis ................................................................................... 20
User Logons by Server Type .................................................................................................................. 21

Introduction
This document, and the accompanying document, SecureWorks Audit Policy Configuration, is designed
to provide you with greater insight into the Windows logs that need to be collected for security, as well as
compliance purposes and how to properly configure your Windows system to log this information. This
document is the result of extensive research into the generally accepted best practices for Windows log
monitoring performed in conjunction with SecureWorks team of Audit Experts and recognized Windows
expert Randy Smith, founder of the Monterey Technology Group and author of Ultimate Windows
Security.
The information contained throughout this document will provide you with event IDs and information
necessary for optimum Windows security and compliance. In addition to this document, SecureWorks has
also tuned our filters to capture the information outlined in this document and has created a suite of
reports for you to use to easily view your Windows events. Reports designated as daily should be
scheduled by your organization to be run daily for your Windows servers and be reviewed by a member
of your team. Reports designated as ad-hoc should be run or scheduled to be run by your organization for
periodic review by your team. The Portal also allows you to store the report and digitally sign it for audit
purposes. Each event grouping below is mapped to one of the following SecureWorks reports, which can
be accessed, ran and scheduled via the Monitoring section of the Report tab in the SecureWorks Client
Portal:

Major Security Events and Policy Changes Daily

Active Directory and Member Server Compliance Events Daily

Active Directory and Member Server Compliance Events Ad Hoc

Authentication and Logons Compliance Events of Interest Ad Hoc

Overview
Windows Event Group
Major Security Events
and Policy Changes
Active Directory and
Member Server

SecureWorks
Report Name

Frequency
of Review

517, 520, 601, 608, 609, 610,


Major Security
611, 612, 617, 620, 621, 622, Events and Policy
643
Changes Daily

Daily

565, 566

Active Directory
and Member
Server Compliance
Events - Daily

Daily

632,636,650,655,660,665

Active Directory
and Member
Server Compliance
Events - Daily

Daily

Active Directory and


Local Server Group
Member Deletions

633,637,651,656,661,666

Active Directory
and Member
Server Compliance
Events - Daily

Daily

Active Directory and


Local Users New or
Enabled

624,642,626

Active Directory
and Member
Server Compliance
Events - Daily

Daily

629,630,642

Active Directory
and Member
Server Compliance
Events - Daily

Daily

565,566

Active Directory
and Member
Server Compliance
Events - Daily

Daily

565,566,560

Active Directory
and Member
Server Compliance
Events - Daily

Daily

642, 644, 671, 627,628

Active Directory
and Member
Server Compliance
Events of Interest
Ad Hoc

Ad Hoc

642, 685, 635, 631, 658, 648,


653, 663, 641, 639, 659, 649,
654, 664, 638, 634, 662, 652,
657, 667, 668, 645,646, 647

Active Directory
and Member
Server
Compliance
Events Ad
Hoc

Ad Hoc

672

Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc

Ad Hoc

Active Directory and


Local Server General
Object Changes
Active Directory and
Local Server Group
Member Additions

Active Directory and


Local Users Deleted or
Disabled

Active Directory Group


Policy Change

Active Directory and


Local Server Permission
Changes
Active Directory and
Local User Account
Lockouts and Password
Resets
Active Directory and
Local Server Other
Users, Groups and
Computers Changes

Domain Account
Authentication

Event Codes

Windows Log Group

Domain Account
Authentication Failure
Analysis

User Failed Logons by


Server Type

Event Codes

SecureWorks
Report Name

Frequency
of Review

672, 675, 676, 681

Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc

Ad Hoc

529, 530, 531, 532, 533, 534,


535, 536, 537,539

Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc

Ad Hoc

Major Security Events and Policy Changes

Major Security Events and Policy Changes Active Directory and


Member Server
Audit Policy Requirements
Category: Account Management, System Events, Privilege Use, Policy Change
Type: Success
Role: Member Servers and Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Major Security Events and Policy Changes Daily

Log Information to Aggregate


Computer

Computer

Event\Chan
ge

Eve
nt ID

Event\Change

Performed
By:

Performed
By

517

Security log cleared

Client
User
Name:\Cli
ent User
Domain:

520

System time changed

Client
User
Name:\Cli
ent User
Domain:

Previous Time:7:09:19 PM 8/5/2004


New Time:7:10:18 PM 8/5/2004
601

Attempt to install service

By:

Name: SNMPTRAP

User
Name: \
Domain:

Success/Failure
608

User Right Assigned


User Right: SeUndockPrivilege
Assigned To: Domain\User

Assigned
By:
User
Name: \
Domain:

609

User Right Removed


User Right: SeUndockPrivilege
Removed From: Domain\User

Assigned
By:
User
Name: \
Domain:

610

New Trusted Domain


Domain:

Establishe
d By:
User


Trust Type:

Name: \
Domain:

Translation guidance:
Field

Value

Display

directio
ns

1 - Trusted (the domain where this


event was logged accepts the identity
of users of the new domain)

2 - Trusting ( (the new domain accepts


the identity of users of the domain
where this event was logged)

3 - 2-way (mutual trust)

type

See:
http://msdn.microsoft.com/library/default.asp?url=/libra
ry/en-us/wmisdk/wmi/microsoft_domaintruststatus.asp
And: http://msdn2.microsoft.com/enus/library/system.directoryservices.activedirectory.trus
ttype.aspx

611

Trusted Domain Removed


Domain:

Establishe
d By:
User
Name: \
Domain:

620

Trusted Domain Information Modified


Domain:

Modified
By:
User
Name: \
Domain:

612

Audit Policy Changed

n/a

Server:Name\Domain

New Policy:
SuccessFailure
+ +Logon/Logoff
+ +Object Access
+ +Privilege Use
- -Account Management
+ +Policy Change
+ +System
- -Detailed Tracking
+ +Directory Service Access
+ +Account Logon
617

Kerberos Policy Changed

n/a


Domain:
Change:
--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT:
0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none);
KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000
(none);

621

System Security Access Granted

n/a

Account: Domain\User
Access: SeRemoteInteractiveLogonRight
622

System Security Access Removed

n/a

Account: Domain\User
Access: SeRemoteInteractiveLogonRight
643

Domain Policy Changed


Domain:

Changed
By:
User
Name: \
Domain:

Interpretation
Entries in this group indicate major changes to the security configuration of the indicated server or a high
security event such as the security log being cleared.

Recommended Usage and Response


The Major Security Events and Policy Changes Daily report should be generated for each server
administrator filtered on the servers under his/her care. Run daily for evidence of intrusions,
misconfigurations or unauthorized changes and review with signoff via digital signature through the portal,
email acknowledgement or physical signature. Signed reports should be archived. Verify that all entries
correspond to legitimate actions by authorized administrators.

Documentation
This group contains Event IDs: 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622 and 643.

Active Directory and Member Server Compliance Events of


Interest
Active Directory General Object Changes
Audit Policy Requirements


Category: Directory Service
Type: Success
Role: Domain Controllers (only DCs report 566 or 565)
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate


Type

Operation

Object Type:
o

domainDNS = Domain

organizationalUnit = OU

groupPolicyContainer = GPO

Object Type

If present in description

Column contents

Any

WRITE_DAC

Changed permissions

Delete Tree

Deleted along with all


child objects

DELETE

Deleted

Write Property and gPList

GPO options or links


modified

Write Property and


gPOptions

GPO options or links


modified

Write Property and version

modified

organizationalUnit,
domainDNS or site

groupPolicyContainer
Changed by

[Caller Domain:]\[Caller User Name:]

Interpretation
This group documents changes made to AD objects.

Event Codes of Interest


565 and 566.

Recommended Report Review and Response


Run the Active Directory and Member Server Compliance Events-Daily report daily and as needed for
ad hoc research/analysis. Reports should be reviewed with signoff via digital signature through the portal,
email acknowledgement or physical signature. Signed reports should be archived.

Active Directory and Local Server Group Member Additions


Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily


Log Information to Aggregate
Group domain

Target Domain

Group name

Target Account Name

Type

Security if Security Enabled in description or if event ID: 636, 632,


660
Distribution if Security Disabled in description or if event ID: 650,
655, 665

New Member

Member Name:

Added by

Caller Domain:\Caller User Name:

Interpretation
If groups Type is security, the New Member now has access to any objects where Group is granted
permissions and will receive email sent to Group. If Groups Type is distribution the New Member will
receive email sent to Group.
These logs document new members added to security and distribution groups in Active Directory and
Local Servers. AD and Local Server groups are increasingly being used as the basis for controlling
access to privileged information and transactions in databases and applications so AD and Local groups
and user activity is usually significant even in the unlikely scenario that no significant information is stored
on Windows file servers. Distribution groups are important to monitor since they are often used to deliver
confidential email.

Recommended Usage and Response


The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived. Check for inappropriate or unauthorized group membership changes.

Documentation
There are 3 scopes of member groups. A groups scope limits where the group can be granted access
and who the group can have as members. These events are collected from domain controllers.
Scope

Explanation

Event ID
Security

Distribution

Domain Local

As a Domain Local group, Group is limited to objects in


the local domain. Membership in Group cannot result in
access to objects in other domains.

636

650

Global

As a Global group, Group may have access to objects in


local domain and any other trusting domain inside or
outside the forest. Membership in Group may result in
access to objects in other domains.

632

655

Universal

As a Universal group, Group may have access to


objects in local domain and any other trusting domain
inside or outside the forest. Membership in Group may
result in access to objects in other domains.

660

665


Active Directory and Local Server Group Member Deletions
Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate


Group domain

Target Domain

Group name

Target Account Name

Type

Security event ID: 637, 633, 661


Distribution event ID: 651, 656, 666

Scope

Domain Local, Global and Universal

Member

Member Name:

Deleted by

Caller Domain:\Caller User Name:

Interpretation
If groups Type is security, the Member no longer has access to any objects where Group is granted
permissions and will no longer receive email sent to Group. If Groups Type is distribution the New
Member will no longer receive email sent to Group.
These logs document members removed from security and distribution groups in Active Directory and
Local Servers. AD groups are increasingly being used as the basis for controlling access to privileged
information and transactions in databases and applications so AD and Local server groups and user
activity is usually significant even in the unlikely scenario that no significant information is stored on
Windows file servers. Distribution groups are important to monitor since they are often used to email
confidential email.

Recommended Usage and Response


The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived. Provides documentation that group membership was revoked in connection
with job changes, etc.

Documentation
There are 3 scopes of groups. A groups scope limits where the group can be granted access and who
the group can have as members. These events are collected from domain controllers.
Scope

Explanation

Event ID
Security

Distribution

Domain Local

As a Domain Local group, Group is limited to objects in


the local domain. Membership in Group cannot result in
access to objects in other domains.

637

651

Global

As a Global group, Group may have access to objects in


local domain and any other trusting domain inside or
outside the forest. Membership in Group may result in

633

656


access to objects in other domains.
Universal

As a Universal group, Group may have access to


objects in local domain and any other trusting domain
inside or outside the forest. Membership in Group may
result in access to objects in other domains.

661

666

Active Directory and Local Users New or Enabled


Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate


Operation

Criteria
event ID 624
event ID 642
event ID 626

User
Account

Performed
by

Operation

User Account

New

New Account Domain:\New Account Name:

Enabled

Target Domain\Target Account Name:

Caller Domain:\Caller User Name:

Interpretation
This event group documents new AD and Local Member Server user accounts or users previously
disabled that are now enabled.

Recommended Usage and Response


The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived.
Verify new user accounts correspond to new hires and check for accounts of terminated employees that
have been mistakenly enabled. Enabled user accounts except in connection with return from sabbatical
should be fairly infrequent; investigate.

Documentation
This group is based on event ID 626 and 624 in Windows 2003; 642 and 624 in Windows 2000.

Active Directory and Local Users Deleted or Disabled


Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate


Operation

Criteria

Operation

event ID 630

Deleted

642 where Account Disabled within description

Disabled

629
User Account

Target Account Name:\Target Domain:

Performed by

Caller Domain:\Caller User Name:

Interpretation
This event group documents AD and Local Member Server user account deletions or accounts previously
enabled that are now disabled.

Recommended Usage and Response


The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived. This report provides documentation that account access was revoked in
connection with terminations, etc.

Documentation
This group is based on event ID 629 and 630 in Windows 2003; 642 and 630 in Windows 2000.

Active Directory Group Policy Change


Audit Policy Requirements
Category: Directory Service
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate


Type

Object Type:
o

domainDNS = Domain

organizationalUnit = OU

groupPolicyContainer = GPO

site = Site

Name

Case

Object Name

Operation

Operation

Object Name:

Group Policy links


or options changed

Object Name:

GPO modified

Object Name:

GPO permissions
modified

Object Name:

GPO deleted

Object Name:

GPO created

(Object Type: is organizationalUnit or domainDNS or site)


and (Properties: includes gPList or gPOptions)
and (Accesses: includes Write Property)

Object Type: is groupPolicyContainer


and (Properties: includes version)
and (Accesses: includes Write Property)

Object Type: is groupPolicyContainer


and Accesses: includes WRITE_DAC

Object Type: is groupPolicyContainer


And (Accesses: includes DELETE)

Object Type: is container


and (Accesses: includes Create Child)
and Properties: includes groupPolicyContainer

Changed by

Caller Domain:\Caller User Name:

Interpretation
This event group documents all group policy related changes:
New, Changed and Deleted GPOs
Changes to the Group Policy properties tab of Sites, Domains and Organizational Units

Recommended Usage and Response


The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived.


Check for inappropriate or unauthorized group policy changes. Mistaken modifications to group policy
can impact thousands of users and computers. Change control and change audit trail are crucial to
limiting group policy risk. Changes to group policy objects can also adversely reconfigure security
settings or policies opening the organization to intrusion or system abuse.

Documentation
This group is based on event IDs 566 and 565.

Active Directory Permission Changes


Audit Policy Requirements
Category: Directory Service
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events - Daily

Log Information to Aggregate


Note

Enable auditing at root of domain for Everyone, All objects,


Success, Change Permissions. This is already the default on
Windows 2000 DCs but not on Windows 2003 DCs.

Domain

Convert DC= components of Object Name: to DNS equivalent.


DC=acme,DC=com becomes acme.com

Type

Object Type:
domainDNS = Domain
organizationalUnit = OU
groupPolicyContainer = GPO
otherwise use actual value

Operation

Object Name

Name
Changed by

Caller Domain:\Caller User Name:

Interpretation
This group documents changes to permissions on objects in Active Directory. Permission changes are
usually the result of delegating administrative authority. Active Directory does not report the content of
the changes only that the change occurred.

Recommended Usage and Response


The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived.
Check for inappropriate delegation of authority. Delegation of control is important in AD in order to follow
least privilege but could result in inappropriate authority being granted if not executed properly. Since


Active Directory does not report the content of the changes only that the change occurred you must
review the ACLs of the affected objects.

Documentation
This group is based on event ID 560, 565 and 566.

Active Directory and Local User Account Lockouts and Password


Resets
Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events Ad Hoc

Log Information to Aggregate


Operation

Operation

OS

Criteria

Locked

2000

event ID 644

2003
Unlocked

Password
Reset

2000

642 where unlocked within description

2003

671

2000

627 where Target different than Caller

2003

628

User Account

Target Account ID:

Performed by

Caller Domain:\Caller User Name:


n/a for 644

Interpretation
This group documents AD and Local Member Server account lockouts, subsequent unlocks and
password resets by an administrator or someone delegated that authority.

Recommended Usage and Response


Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed. Verify password resets correspond to authentic calls to the help desk by user whos forgotten
his password. Verify account unlock and password reset requests are properly authenticated by help
desk.
Having authority to reset passwords allows the holder to impersonate other users. Periodically auditing
password resets provides a deterrent control.

Documentation
This group is based on event ID 642, 644, 671, 627 and 628.

Active Directory and Local Server Other Users, Groups and


Computers Changes
Audit Policy Requirements
Category: Account Management
Type: Success
Role: Domain controllers. Recognize DCs where Target Name: does not equal Computer
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Active Directory and Member Server Compliance Events Ad Hoc

Log Information to Aggregate


Object Type

Operation

Column Definition

Selection Criteria

User

For user
changes its
important to
distinguish
whether 624 is
from a 2000 or
2003 computer.
Since many
642s in 2003 are
redundant
because of other
specific event
IDs. To
determine OS
version:
Windows
2000:
Changed
Attributes
will not be
present in
description
Windows
2003:
Changed
Attributes is
present in
description

General
change

On Windows 2000
642 - First insertion string from
description. Some account changes
generate 642 with first insertion string
empty. In such cases display Not
specified
On Windows 2003
MS removed the first insertion string
and replaced with Changed Attributes.
Display attribute name/value pairs for
which there is a value
For example, for the example event
below you would display:
Password Last Set: 8/1/2006 12:15:10
PM
Some account changes generate 642
where no attributes are listed as
changed. In such cases display Not
specified
Example event:
Event Type: Success Audit
Event Source:
Security
Event Category:
Account
Management
Event ID:
642
Date:
8/1/2006
Time:
12:15:10 PM
User:
S3DGROUP\radmin
Computer:
A4
Description:
User Account Changed:
Target Account Name:

Event ID 642
To determine OS version:
Windows 2000: Changed
Attributes will not be
present in description
Windows 2003: Changed
Attributes is present in
description
First check if 642 matches
criteria for one of the other
operations in this table. If so
its a specific change not a
general change.
Windows logs multiple 642s
sometimes in relation to one
operation from the point of
view of the administrator.
Windows logs multiple 642s
in conjunction with new user
accounts (624).
Windows also logs 642s that
are redundant because of
event IDs that document
specific actions such as
password resets,
enabling/disabling accounts,
etc.


gthomas
Target Domain:
S3DGROUP
Target Account ID:
S3DGROUP\gthomas
Caller User Name:
radmin
Caller Domain:
S3DGROUP
Caller Logon ID:
(0x0,0x34495)
Privileges: Changed Attributes:
Sam Account Name: Display Name:
User Principal Name:
Home Directory:
Home Drive: Script Path:
Profile Path:
User Workstations:
Password Last Set:
8/1/2006 12:15:10 PM
Account Expires: Primary Group ID: AllowedToDelegateTo:
Old UAC Value:
New UAC Value:
User Account Control:
User Parameters: Sid History:
Logon Hours:
-

Group

Renamed

From: [Old Account Name:


[New Account Name:]

] To:

685

Created

Created

635, 631, 658, 648, 653, 663

Changed

Changed

641, 639, 659, 649, 654, 664

Sam Account Name:Sid History:Deleted

Deleted

638, 634, 662, 652, 657, 667

Group Type
Changed

Group Type Changed From:


[Security/Distribution] To:
[Local/Global/Universal]

668

Security if Security Enabled in


description
Distribution if Security Disabled in
description
Computer

Created

Created

645

Changed

See General Change column


definition for User

646


Deleted

Deleted

647

Other Information
Domain

[Target Account Domain:]

Object

[Target Account Domain:]\ [Target Account Name:]

Type:

Use Object Type column in table above

Performed by

[Caller Domain:]\[Caller User Name:]


n/a for Account Locked operations 644

Interpretation
This group documents all other changes to users, groups and computers including new and deleted
objects. Sometimes Windows fails to report exactly what was changed which is reflected by Not
specified.
Recommended Usage and Response
Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed. Provide as needed to IT Audit to demonstrate compliance with account management
procedures.
Documentation
This group is based on event ID 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664,
638, 634, 662, 652, 657, 667, 668, 645,646 and 647.

Authentication and Logons Compliance Events of Interest

Domain Account Authentication


Audit Policy Requirements
Category: Account Logon
Type: Success
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc

Log Information to Aggregate


Authentication Type

Authentication Type: (success)


672 = Kerberos TGT,

Account

Domain:\User Name:

Server

Event 672: Computer.

Interpretation


This group documents all authentications to domain controllers by users. Note that whenever such a user
logs onto their own workstation or member server, this will generate a Network logon to a DC since the
users workstation must access the domain controller under the users credentials to apply Group
Policy\User Configuration.

Recommended Usage and Response


Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed.

Documentation
This group is based on event ID 672.

Domain Account Authentication Failure Analysis


Audit Policy Requirements
Category: Account Logon
Type: Failure
Role: Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc

Log Information to Aggregate


Account

Domain:\User Name:

Reason

See http://ultimatewindowssecurity.com/kerberrors.html for Kerberos


errors
See http://ultimatewindowssecurity.com/ntlmerrors.html for NTLM
errors

Domain Controller

Computer name from event header

Workstation

Event 681: Workstation: or Worktation Name:


Event 672, 675,676: Client Address:

Authentication Protocol

Event 681: NTLM


Event 672, 675,676: Kerberos

Interpretation
This group documents all authentication failures to domain controllers by users. Note that whenever such
a user logs onto their own workstation or member server, this will generate a Network logon to a DC since
the users workstation must access the domain controller under the users credentials to apply Group
Policy\User Configuration.

Recommended Usage and Response


Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed.


Documentation
This group is based on event ID 672, 675, 676 and 681.

User Logons by Server Type


Category: Logon/Logoff
Type: Failure
Role: Servers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc

Log Information to Aggregate


Logon Type

Logon Type: %4
See http://ultimatewindowssecurity.com/logontypes.html for
translation

Domain:\User Name

User Name: %1 Domain: %2

Server

Computer.

Process

Logon Process

ID

Logon ID (optional)

Success/Failure

EventType from header


If failure, fill in failure reason based on event ID

Interpretation
This group documents all logons to monitored servers.

Recommended Usage and Response


Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed.

Documentation
This group is based on event ID 529 through 540, excluding 538.