Skip to main content

Turn on auditing to monitor account attacks

Posted March 2007 by Steve Sinchak

There is no doubt that all of the new security features in the modern versions of Windows will help keep your computer more secure.  However, these features become less valuable when they are not turned on by default.  One feature, known as user account auditing, is not turned on by default. With this feature is turned off, anyone with physical access or remote access to through a hole in your firewall (such an opening for Remote Desktop) can use a brute force attack against your user account for as long as they want without getting noticed at all.   How? The default audit security policy is configured to not log any account logon events, successful or failed.

This allows an attacker to try to hack your accounts for as long as it takes to break in.  There are a few ways to protect against this that I am going to go over in my next article about the Account Lockout policy.  But first, it is important to turn on this account auditing so that you can see who may be trying to break into your accounts.  After you have adjusted the auditing security policy, you will be able to see any account attacks including the account that they tried to logon with and where the request came from.

Let's get started and turn on audition for failed logon events:

  1. Click on the Start Button and key in secpol.msc in the box and hit Enter.
  2. Navigate through Local Policies and Audit Policy.
  3. Right click on Audit account logon events policy and select Properties.
  4. Check the Failure box and hit OK.
  5. Right click on Audit logon events policy and select Properties.
  6. Check the Failure box and hit OK. Your screen should now look like the figure below:

7. Close Local Security Policy editor.

Your computer has now been configured to log all failed user account logon attempts.

Once you have turned on account auditing, you can view the logs in Event Viewer (run eventvwr.msc) under Windows Logs and Security.

Related Posts

The Java Runtime Environment has become one of the most exploited components of any operating system. Even the US Department of Homeland Security warns users to disable java unless they have a really good reason to use it.  For most of us the days of Web sites requiring you to run Java applets has long passed.  However, there still are a good number of desktop applications written in Java so simply...

Read More

Port 3389 is the home of the remote desktop protocol that powers Remote Desktop Services on all modern versions of Windows.  If your system has Remote Desktop enabled, it is listening for connections on port 3389.  Since this port is both well known and can be used to attack accounts, it is low hanging fruit for script kiddies and bots looking for an easy target.

Read More

Microsoft included a batch rename feature in the latest version of Windows allowing you to select multiple files, right click on one and select rename. All of the selected files will be renamed with the name you provided and a number. This functionality works well for basic files but does not provide any flexibility in exactly how the files are numbered and also does not allow the file extension to...

Read More

Adobe ReaderThe Adobe download manager is part of the normal install of Adobe Reader and Flash that allows Adobe to bundle additional software with their products. After the download manager is installed, Reader/Flash along with other software (Adobe Air) can be downloaded and installed. When dial-up Internet connections where common download managers provided a valuable...

Read More