This is a key pain point for those of you trying to meet compliance requirements. Just about every regulation out there requires you to review failed logons but offer no guidance on what to look for.
Distinguishing malicious logon failures from innocent logon failures is challenging for a variety of reasons:
- Each Windows computer role (workstation, server and domain controller) contribute failed logon events to your overall audit trail. I’ll help you understand which systems log which events and why
- The logon failure codes in the security log are the same whether the user mistyped his password or an attacker is trying to guess the password
- Some Windows clients and applications make more than one logon attempt per user attempt, thus inflating the number of innocent logon failures
- Confusion over the meaning of logon failure codes
- Distinguishing between “low and slow” attacks
In this real training for free™ webinar I first acquaint you with the two different audit categories used for tracking logon failures - Logon/Logoff and Account Logon - and show you the difference between the two.
I’ll be using Windows Server 2012 R2 for demonstrations and point out any minor differences between its events and those logged by earlier versions of Windows. And for my analysis tool I’ll be using SolarWinds Log and Event Manager who is making this real training for free™ possible.
Next I’ll share my tips for building your alert rules and reports to try to recognize malicious logon failures that indicate an attack. I’ll use a variety of techniques - some simple and others that require some sophisticated analysis. You also need to take into account your particular environment in terms of authentication types used, exposure to hostile networks, password quality among your users and their logon habits. Baselines are important and we’ll discuss how to establish them.
This will be real training on a very important area of the Windows security log. Don’t miss it. Please register now!