When the credentials are submitted for a user account logon request, audit events are generated by the operating system which is determined by the Audit Credential Validation.

 

The events occur as follow:

  1. Domain Controller has the authorization for Domain Accounts
  2. Local Computer has the authorization for Local Accounts

 

As in an enterprise environment, domain accounts are used more often than local accounts so

 

most of the user logon requests are in the Domain Environment for which Domain Controllers have the authorization. So, the event volume is high on Domain Controllers and low on member servers and workstations.

 

Events for Audit Credential Validation are listed below:

Event State Description
4774 Success, Failure An account was mapped for logon
4775 Failure An account could not be mapped for logon
4776 Success, Failure A computer attempted to validate the credentials for an account
4777 Failure Domain Controller failed to validate the credentials for an account

 

Most of the account logon events occur in the Security log of the Domain Controllers, also, these events can occur on the local computers when logon requests from local accounts are received. This policy is used for NTLM authentication in the domain. Monitoring Unsuccessful Attempts, Finding Brute Force Attacks, Account Enumeration, and Potential Account Compromise Events on DC's can be achieved by enabling this group policy (Audit Settings).

 

Active Directory Audit Rules

Vulnerability:

Forensic Analysts might not be able to detect or gather enough evidence of a security incident if audit settings are not configured or if they are so lenient on the computers in your organization. In the Security log, critically important entries can be mantled by meaningless entries if the audit settings are too severe and the performance of the computer and the available data storage can be seriously affected. It is obligatory to log certain events and activities by companies that operate in certain regulated industries.

 

Security Recommendations:

The recommended configuration can be manifested through Group Policy. For this purpose, confirm that the below-mentioned UI path is set as prescribed.

 

Policy Path:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential Validation

Set the above-mentioned UI path to Success and Failure to establish the recommended configuration via Group Policy.

 

Default Value:

By default, the policy is set to Success.

 

Automate audit policies implementation:

By using hardening automation tools you’ll be able to easily implement your audit policies on your entire production. Hardening automation tools will help you implement the right policy on the right machine and will eliminate the risk of production downtime.

 

Hardening Tools 101

You might be interested