The difference between 672 "Failure Audit"... Expand / Collapse
Author
Message
Posted 4/12/2010 11:58:39 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/12/2010 11:39:00 AM
Posts: 1, Visits: 0
Hi,

Can anyone explain what is the difference between these 2 events?

If wrong password is entered when logging to a domain, which of those two will be generated? By looking through log files on my DC, it seems that it will be 675...

But then, what are the cases, when 672 “Failure Audit” will be generated?

If I would like to monitor for failed authentication with domain accounts, should I look only for ID 675, or should it be combined with 672 Failure Audit?

Cheers,
Sasa.
Post #351
Posted 4/15/2010 8:23:45 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
675 gets logged for bad password and clock sync problems between client and DC

Failure 672 gets logged for all other initial authentication failures

Post #353
Posted 10/4/2010 5:01:21 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
Hi Randy,

So between these two event ids; can we safely say that we should log for event id 672 and not 675? If i'm wrong then please correct me.

Regards,

Mohit.

Post #490
Posted 11/4/2010 6:20:46 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Well, 675 with 0x18 failure code tells you "bad password" which means user fat fingered his password, forgot or someone is trying to guess that user's password...
Post #515
Posted 11/5/2010 5:34:37 PM
Expert from Quest Software

Expert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest Software

Group: Forum Members
Last Login: 2/11/2012 12:15:37 AM
Posts: 18, Visits: 8
Hi Mohit -

   If failed Authentications are you goal then you must log all 675 events, and all failed 672 events. 

   If a user fat-fingers their password a 675 event will be created during pre-authentication, and a 672 will never appear. 

Hope this helps...

Post #520
Posted 11/8/2010 11:14:06 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/4/2010 10:14:26 AM
Posts: 1, Visits: 0
Randy,

      According to your Security Log Quick Reference shouldn't the code you be looking for be 24  rather then 18 which is account disabled??

Post #524
Posted 11/9/2010 1:17:59 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
Braino (11/5/2010)
Hi Mohit -

   If failed Authentications are you goal then you must log all 675 events, and all failed 672 events. 

   If a user fat-fingers their password a 675 event will be created during pre-authentication, and a 672 will never appear. 

Hope this helps...

Hi Braino,

Thank you for providing your insight on this topic. I myself went and searched for event ids 675 and 672, but was able to find only instances for 675. Hence I've now modified my perl script to search for event id 675 and export the relevant data to a spreadsheet.

I'm assuming that I'm safe by ignoring 672 here. Do I still need to add a check for event id 672?

Post #525
Posted 11/9/2010 8:51:57 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I think you are mixing up hex and decimal.  Decimal 24 is the same thing as hex 18.
Post #527
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:53pm