Thursday, 27 March 2014

Event ID 4625 An account failed to log on

Description:

    In this article, I am going to explain about the Local Computer Logon Failure Event 4625. This event will get logged whenever an user tries to login with bad or wrong credentials. Here we will discus about how to Enable Event 4625 through local security policy and Auditpol command in local computer and how to enable Event 4625 in Active Directory based domain environment via Group Policy Object. Here, we will also discus about how to Stop or Disable the event 4625 when you don't want logon failure activity.

This is event controlled by Logon/Logoff (Audit logon events) category in Audit policy settings. Other important events controlled by this audit policy setting are 4624, 4648, 4634 and 4672

Refer this article Tracking User Logon Activity using Logon and Logoff Events to know about how to track user's logon duration from logon 4624 and logoff 4634 events.

Summary:


Event ID 4625 Sample Source:

Description: An account failed to log on.

Subject:
       Security ID: SYSTEM
       Account Name: MyPC$
       Account Domain: TestDomain
       Logon ID: 0x0
Logon Type: 
Account For Which Logon Failed:
       Security ID: S-1-5-21-822115511-2935354860-794628881-514
       Account Name: Ltest
       Account Domain: TestDomain
Failure Information:
       Failure Reason: Unknown user name or bad password.
       Status: 0xc000006d
       Sub Status: 0xc0000064
Process Information:
       Caller Process ID:       0x0
       Caller Process Name:       -
Network Information:
       Workstation Name: MyPC
       Source Network Address: 192.178.87.231
       Source Port: 
Detailed Authentication Information:
       Logon Process:              NtLmSsp
       Authentication Package:       NTLM
       Transited Services:       -
       Package Name (NTLM only):       -
       Key Length:              0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
       - Transited services indicate which intermediate services have participated in this logon request.
       - Package name indicates which sub-protocol was used among the NTLM protocols.
       - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Enable event 4625 via Local Security Policy

Steps to enable event 4625 through Local Security Policy:

1. Run the command secpol.msc to open Local Security Policy.

Event 4625 - Enable and Stop Logon Failure Event 4625

2. In Local Security Policy console, go to the node Audit Policy (Security Settings -> Local Policies-> Audit Policy).

Event 4625 - Enable and Stop Logon Failure Event

3. In right side pane, double-click the policy Audit logon events.

4. Now check the Failure audit and click Apply to configure logon failure event 4625.

Event 4625 - Enable and Stop Event 4625


Now, you have successfully configured audit setting to log event 4625 in local computer. if you working in Active Directory based domain environment and if you want to configure this settings in all the computers that exists in domain, you need to achieve this by applying audit setting through any of Group Policy Object.

How to enable event 4625 through Group Policy

Steps to enable event 4625 through GPO:

1. Open Group Policy Management Console by running the command gpmc.msc

2. Expand the domain node,  then right-click on the Default Domain Policy, and click Edit option

Enable Event 4625 logon failure via GPO

3. Expand the Computer Configuration node, go to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).

4. Navigate to the right side pane, select the policy Audit logon events, and set the Failure audit value.

Enable Event 4625 via GPO

5. In Windows 7/Server 2008 R2 and later versions, you can also enable Event ID 4625 through Advanced Audit Policy Configuration.  Expand Computer Configuration, and go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

6. Expand this node, go to Logon/Logoff (Audit Polices-> Logon/Logoff ), then select the Setting

Audit Logon, and set its value as Failure

Enable Event 4625 via GPO

8. Run the command GPUpdate /force to apply this setting in all the Computers

Enable Event 4625 via GPO


How to enable event 4625 using Auditpol

     Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

   Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable audit Event 4625 by using the following command
Auditpol /set /subcategory:"Logon" /failure:enable

How to stop/disable Event 4625

You can disable or stop the logon failure audit Event ID 4625 by using the following command
Auditpol /set /subcategory:"Logon" /failure:disable

You can also stop this event by removing the Failure audit setting from the GPO in the setting path  Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Polices->Logon/Logoff->Audit Logon.


 Note: You need to refresh/update GPO for every change by running the command GPUpdate/force.


Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment