Detections
Analytics

1.1.1.2.2.2 Set 'Audit account logon events' to 'Success, Failure'

Information

This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. Authentication of a domain user account on a domain controller generates an account logon event that is logged in the domain controller's Security log. Authentication of a local user on a local computer generates a logon event that is logged in the local Security log. No account logoff events are logged. The following table includes the important security events that this policy setting logs in the Security log. These event IDs can be useful when you want to create custom alerts to monitor any software suite, such as Microsoft Operations Manager (MOM). Table 4.3 Account Logon Events Event ID Event description 672 An authentication service (AS) ticket was successfully issued and validated. In Windows Server 2003 with SP1, the type of this event will be Success Audit for successful requests or Failure Audit for failed requests. 673 A ticket granting service (TGS) ticket was granted. A TGS is a ticket that is issued by the Kerberos version 5 TGS that allows a user to authenticate to a specific service in the domain. Windows Server 2003 with SP1 will log successes and failures for this event type. 674 A security principal renewed an AS ticket or a TGS ticket. 675 Pre-authentication failed. This event is generated on a Key Distribution Center (KDC) when a user enters an incorrect password. 676 Authentication ticket request failed. This event is not generated by Windows Server 2003 with SP1. Other Windows versions use this event to indicate an authentication failure that was not due to incorrect credentials. 677 A TGS ticket was not granted. This event is not generated by Windows Server 2003 with SP1, which uses a failure audit event with ID 672 for this case. 678 An account was successfully mapped to a domain account. 681 Logon failure. A domain account logon was attempted. This event is only generated by domain controllers. 682 A user has reconnected to a disconnected Terminal Server session. 683 A user disconnected a Terminal Server session but did not log off. If audit settings are not configured, it can be difficult or impossible to determine what occurred during a security incident. However, if audit settings are configured so that events are generated for all activities the Security log will be filled with data and hard to use. Also, you can use a large amount of data storage as well as adversely affect overall computer performance if you configure audit settings for a large number of objects. If failure auditing is used and the Audit: Shut down system immediately if unable to log security audits setting in the Security Options section of Group Policy is enabled, an attacker could generate millions of failure events such as logon failures in order to fill the Security log and force the computer to shut down, creating a Denial of Service. If security logs are allowed to be overwritten, an attacker can overwrite part or all of their activity by generating large numbers of events so that the evidence of their intrusion is overwritten.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events

Impact- If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CCE|CCE-3321-7

Plugin: Windows

Control ID: 9926267c09f338e4c362369e490b27b4c579137b4970a5a326518dfbf70da719