Monitoring Failed Logon Attempts

I want to be more diligent about monitoring for failed logons that result from bad passwords. Which events do I need to look for on domain controllers (DCs)? Do I need to monitor each DC and member server? How can I automatically receive this information in a daily report?

To be thorough, you must monitor each DC and member server. A DC's Security log is the only place in which you can find information about the logons that the DC handled. Check all DC Security logs for event ID 675 with failure code 24 and event ID 681 with error code 3221225578 to learn about all attempts to authenticate using a domain account and bad password. You must also monitor member servers because attackers can use local accounts on each server's SAM to try to gain access. On member servers, look for event ID 529.

To receive a report of events automatically, you can download Jesper Lauritsen's free ELDump tool from http://www.ibt.ku.dk/jesper/eldump/default.htm. ELDump is a flexible tool that lets you sort events according to your criteria. The following command produces a list of event ID 529 instances that occurred in the past 24 hours on server1:

eldump -l security -e 529 -O dts -m Security  -A 24 —s \server1 -M

Note that ELDump's parameters are case sensitive. As Figure 1 shows, the output format I specified reports only the time and insertion string from the event's description. If you want to see the entire message text, run the same command without the —M parameter. To learn more about customizing ELDump's output, type

eldump /?

Unfortunately, ELDump can't filter events by insertion strings, so you must use the Findstr command to search output event ID 675 instances for a failure code of 24 and search output event ID 681 instances for a 3221225578 error code. Web Listing 1 (http://www.winnetmag.com, InstantDoc ID 25968) shows a batch file that produces a text file with the relevant events for DC1 and server1. You can download Web Listing 1, then modify the file (i.e., replace DC1 and server1 with the appropriate system names from your environment) for use on all your computers. Schedule the batch file to run each morning, then create a shortcut to badlogons.txt and check that file each day to stay on top of failed logon attempts. To learn more about failed logon attempts, see "Audit Account Logon Events," March 2001, InstantDoc ID 19677.