I am having issue with configuring Auditing on the server in order to catch failed and successful network logins.
This morning we found one of our test machines with a strange login on the locked screen. Definitely not a user that exists on our domain. The user that saw this had to restart the machine in order to log in. I only found out afterwards so was unable to see the locked screen myself. I've been asked to investigate, but all I found on the affected client and Domain Controller were very vague log entries:
- Client event viewer:
- TerminalServices-RemoteConnectionManager log:
- Listener RDP-Tcp received a connection
- Security log:
- No entries
- TerminalServices-RemoteConnectionManager log:
Since then I've made few changes. On the Domain Controller Policy I have enabled Audit account logon events and Audit logon events. source
Also followed a further guide from the same thread I've enabled Active Directory Change Events
This is where I am now when checking Event Viewer on the DC in Security logs:
- Audit Failure, which contains account name and time. Event ID: 4771, Failure code 0x18, Pre-authentication Type: 2.
Based on this source I can see it's because of bad password. But it doesn't say from where was the log-in, or to which remote machine.
If I provide the correct password, it creates Event ID 4768, saying a Kerberos authentication ticket was requested, no result code. Nothing in following entries about successful login.
How can I get that into my logs so I am able to track down the issue should it happen again in the future?
To summarise, I need to see all attempted, successful and failed logon attempts on the network. Hopefully I will be able to narrow these logs down to a target IP address to show only logs referring to a machine suspected of being breached. Is that possible without any additional tools/software?
