Monday, March 15, 2010

I hate Microsoft Event Logs!

I have written some impressive python scripts in my day, but if I ever get this one figured out I will be the king of scripting. Possibly even the king of all things Microsoft. I'm trying to generate a simple report of failed logon attempts by source so that I hopefully detect when someone is trying to break into something using a dictionary attack. It is difficult to defend something when you cant detect attacks.

So this should be pretty straightforward, but it turns out that it isn't. I looked up the event code for failed logon attempts: 529. OK, so now I just search for all the 529 events in the log files. Wow, there are a lot. But since I like to test things out a bit before I get too far into a project, I ran over to a workstation and tried to log in with a fake user account. That should generate a 529 error, right? MSWinEventLog 0 Security 40398013 Mon Mar 15 13:19:27 2010 672 Security SYSTEM User Failure Audit SERVER Account Logon Authentication Ticket Request: User Name: Bigpooper Supplied Realm Name: DOMAIN User ID: - Service Name: krbtgt/DOMAIN Service ID: - Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: workstation_ip Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: 40383305

Weird. I'm getting a 672 error instead of a 529. According to this document If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672. So the code 672 indicates that Bigpooper logged on successfully, but the message in the event log indicates that he did not. And error 529 is nowhere to be found. Which begs the question, what do all the 529 errors in my log files really mean then? I did some reading and saw that 529 errors might mean that someone tried to log into the local workstation improperly. Still despite my best efforts, I have not been able to force a 529 error.

Obviously I need to keep track of both of these error codes. The thing that is irritating me is that it seems like there are dozens of different codes for failed logon attempts. Sometimes a single event will result in multiple entries with different codes. Other times an event is pretty straightforward.

Anyway, there is a lot of guidance out there on how to audit failed logon events out there on the Internet. It pays to take a moment to test out the information that you're given before you write scripts that report incorrect or incomplete information to you. After all, the only thing worse that no information is incorrect information.


Miha said...

Please let us know how this turns out. I've never really took the time to investigate these events, but have used:

in the past to get an overview (makes me wonder how accurate it was now).

Miha said...

I just remembered, if you have any recommendations, links as to how auditing should be configured for Domain Controllers I'd greatlly appreciate this.

I've just started a new job and nothing but success auditing is enabled on DC's...not really what one would desire.

Anonymous said...

Logs tend to be somewhat platform specific.

I've found 'The Windows Server 2003 Security Log revealed' by Randy Franklin Smith to be invaluable. Also check his web site 'Ultimate Windows Security' which has much of the same info on-line.

Event 672 is related to Kerberos, only says that an authentication ticket has been granted (though this is one of the entries that is platform dependent). It typically appears on initial login, and is logged on the domain server

529 relates to interactive logon. It's logged locally on the client!

Anonymous said...

... and 681 is a Windows 2000 event.

Black Fist said...

@anonymous So a 529 means that the user tried to log on directly to the server I am finding it on (which is a domain controller). OK, my guess is that these 529 events are misconfigured machines trying to access a share on a domain controller.

A. Thulin said...

(I posted the previous anonymous entries)

From my understanding, 529 is a failed interactive logon to a computer: the user typically mistyped his password at the standard login screen.
(See 'logon type' field. Logon type 2 is interactive, 3 is network login (file servers), 10 is remote desktop/terminal service, 7 is screensaver unlock -- though not always -- depends on the screensaver, I think, etc.)

Next question is: local account or domain account? I know it's logged for local accounts -- I see it in my own laptop logs. I suspect it also appears for logins to a domain, but I would like to verify that in some way. This event is logged on the computer where the login screen was shown (I'm fairly certain). If it appears in a server log, with login type 2, I'd say it's a physical console login

If it does appear for domain logins, the login attempt is preceded by kerberos-related log entries, such as 672, 673 and perhaps others, as part of domain login.

I agree with you about MS event logs -- you have to collect them from all over the place before you can analyze things well. And then you have to know what system produced the logs: On Windows 2003, the 681 event was dropped, for instance, and replaced with a 680 with type = failure.

The book I mentioned documents a lot of this weirdness.

Haven't looked at 2008 myself yet, but I expect it's the same there.