Question Unable to enable Audit Failed Logins

[jacktheripper88]

This has got me a bit stumped at the moment.
I have a user that is getting locked out, I've traced it back to the failed login attempt threshold getting hit. What ever is causing this is still actively try to gain access to this account.
I've downloaded the lockout tool and unlocked the account only to watch the failed attempts quickly reach the threshold.
In my head I'm thinking simplest way to figure this out is to check the security log, unfortunately this DC wasn't set to audit failed attempts. Now when I try to enable this (by going under Local Security Policy\Security Settings\local policy\audit policy\Audit account logon events), the check boxes for "audit these attempts" are currently greyed out with success as the only one checked off.
There is a message further down that states "This setting might not be enforced if other policy is configured to override category level audit policy". So I'm not sure if this means something else on this server is controlling this or blocking me from changing this.
So far I can't find much on what to do if the option is greyed out, so any advice would be great.
Running SBS on Windows Server 2008 R2, set to be the DC and running exchange 2007.

 

[mxnerd]

Could be your answer.

https://social.technet.microsoft.co...licy-in-windows-server-2008?forum=winserverGP

But do it extremely carefully. It could mess up the whole server.

You probably have to record everything that were set (changed) on the domain controller by previous engineer before taking any step.

 

[jacktheripper88]

Thank again mxnerd! But I'd just located the info, on a different site, here was where I needed to go:
1. On the DC, Group Policy Management | Forest | Domains | domain.com.

2. On the right hand side, right-click DEFAULT DOMAIN POLICY GPO and click EDIT.

3. Group Policy Management Editor opens up.

4. Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

5. Select Audit Object Access.

6. Enable DEFINE THESE POLICY SETTINGS and Enable SUCCESS and FAILURE.

 

[mxnerd]

Your find probably is a better answer. The user was trying to login a domain, not domain controller server itself.

 

[jacktheripper88]

Its raised some new ones for me and I'll probably end up going to the site and try doing some onsite investigating. Right now all of the failures for this account are from a workstation named MSTSC.
Is there a simply way to tell if this is from an outside source?

 

[mxnerd]

MSTSC means MS Terminal Service (same as Remote Desktop). I think it's from one of your remote worker?

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc

Make sure remote users need to have IP settings that also have DNS being set correctly, they need to have access to domain controller's DNS.

Well, I'm not quite sure about above statement.

 

[jacktheripper88]

There are remote workers but none of them would use this account, aside from myself. But with account locking, I'm signed in on the admin account.
If I refresh lockout tools while watching this account it looks like there is a login attempt every 1-2 seconds.
*I'm basing this off of the Bad Pwd Count in the lockout tool, can't really tell in event viewer as there are a lot of random login failures at the moment.

 

[mxnerd]

Has the password expired?

And was reconnect option being selected?

 

[jacktheripper88]

No it was set to never expire, but I changed it earlier this afternoon to get it unlocked and set it to never change

 

[mxnerd]

This?

https://community.spiceworks.com/topic/498564-remote-desktop-logon-failed-audit-events

 

[jacktheripper88]

Ok, I've been picking away at trying this stuff out and I've got Netwrix Account Lockout Examiner Console running on there now.
But I've run into a little bit of a hiccup, in the audit status for Netwrix i get the following message:
"Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC"
I thought I had enabled the success and failure audit already, or is this referring to something else? I' saw in the topic you'd posted, mxnerd, talking about how this is enabled through Advanced Audit Policy Configuration, but this doesn't show in the group policy manager or the local security policy. Am I missing something here?

On the plus side, there is still the occasional failed login but nowhere near the amount of attempts as there was from last Friday. The details show the logon process was NtLmSsp, Event ID 4625, NULL SID, Unknown user name or bad password.

 

[mxnerd]

https://www.netwrix.com/kb/1571

==

Or maybe someone in your neighborhood is ruuning some hacking tools?