Announcement

Collapse
No announcement yet.

How to diagnose security failure event

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to diagnose security failure event

    Hi

    This has bugged me for years

    In XP the Security Failure Events are very vague:

    Code:
    Logon Failure:
         Reason:        Unknown user name or bad password
         User Name:    warstorm
         Domain:        T35
         Logon Type:    7
         Logon Process:    User32  
         Authentication Package:    Negotiate
         Workstation Name:    T35
    Token Monitor from sysinternals doesn't work any more

    How do I debug an event like this?

    I would like to know the process name at least ...

    Any clues?

  • #2
    Re: How to diagnose security failure event

    If I'm not mistaken, logon type 7 is an unlock event, meaning someone unlocked their workstation. In this case it looks like the user is warstorm and the workstation is T35.

    Comment


    • #3
      Re: How to diagnose security failure event

      here you go.

      did you google for "windows logon event codes" ?
      http://www.windowsecurity.com/articles/Logon-Types.html


      you "debug it" by prevent account auditing in your event logs.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: How to diagnose security failure event

        I realised the event descriptions are ok except for the one described here

        support.microsoft.com/kb/831905

        which is an easy fix

        shouldn't everybody audit security failure events?

        Comment


        • #5
          Re: How to diagnose security failure event

          Emphasis on "should"

          MS recommend it, we all agree, but unless you have a dedicated security person looking at everything, event monitoring (on a proactive basis) always seems to get missed out!
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X