The Windows Security Log Revealed

Chapter 4
Account Logon Events

Account Logon events provide a way to track all the account authentication that is handled by the local computer. If the local computer is a DC, you will see events that are logged for the domain accounts that the DC authenticates. If the computer is a member server, you will see only events that are logged for authentication of local accounts on that server.

The Audit account logon events policy category comprises four subcategories shown below. We recommend that you enable the Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, and Other Account Logon Events subcategories. You will not typically see the four event IDs in the Other Account Logon Events subcategory in AD environments.

Subcategories

Comment

Credential Validation

NTLM Authentication; produces events on both DCs and member servers

Kerberos Authentication Service

Kerberos Ticket Granting Tickets (TGT); produces events only on DCs

Kerberos Service Ticket Operations

Kerberos Service Tickets (computers and services accessed); produces events only on DCs

Other Account Logon Events

Dumping ground for four other authentication events, none of which have been observed during our testing

When you enable these policies on a DC, all domain account authentication that occurs on that DC will be logged. When you analyze the combined Account Logon events of all your DCs, you will have a complete picture of the logon activity of all domain accounts in the domain, regardless of whether the logon attempts were initiated from computers of the local or trusted domain or from unknown computers outside your AD forest and external trusted domains.

Windows DCs support both NTLM and Kerberos authentication protocols.

NTLM vs. Kerberos

When a DC needs to find out whether a domain account is authentic, the computer first tries to contact the DC via Kerberos. (If the system doesn’t receive a reply, it falls back to using NTLM. The DCs log different event IDs for Kerberos and for NTLM authentication activity, so you can easily distinguish between them.) In an AD forest comprising computers that are all running Windows 2000 and later, all authentications between workstations and servers should be made via Kerberos. Any NTLM authentication events that you see on your DCs can have only a few explanations:

  • Windows will fall back to using NTLM if routers block Kerberos traffic (UDP port 88) or if the system doesn’t receive a reply when trying to contact the DC via Kerberos.
  • You might see NTLM events on your DCs if the domain trusts another domain outside the forest (as defined in Active Directory Domains and Trusts). Kerberos doesn’t work for most external trust relationships. (Note that realm trusts between a Windows domain and a non-Windows Kerberos realm use Kerberos, as do transitive, two-way cross-forest trusts between two Windows domains.)
  • NTLM events on a DC’s Security log can indicate rogue computers. Contrary to popular belief, Windows does not prevent a user at a stand-alone computer (i.e., a Windows computer that belongs to no domain) or a computer in an untrusted domain from using a domain account to connect to a server in your domain. To prove this, just use the Net use command to map a drive to a computer in an untrusting domain. The following sample command connects me to a file server called NYC-FS-1 in the NYC domain, using the domain Administrator account and a password of #dk32HE4:
    net use \\nyc-fs-1.nyc.acme.local\c$ #dk32HE4 /user:nyc\administrator
  • You might see NTLM events as a result of users logging on to an application that uses Microsoft Internet Information Services (IIS) authentication (e.g., an IIS Web application).
  • Linux, UNIX, and Mac computers generate NTLM events.
  • Pre-Windows 2000 computers in the local domain or in the overall forest can log NTLM events on your DC Security logs.

Why does it matter whether your systems use NTLM or Kerberos? For one thing, Kerberos provides mutual authentication between client and server, whereas NTLM authenticates client-to-server only. For another thing, NTLM is less secure than Kerberos. Although intruders can capture packets from either protocol and can attempt to crack the data back to the password, NTLM is easier to crack than Kerberos. More important, if an outsider (i.e., someone who is not a member of your organization) attacks accounts in your domain, you will most likely see those attacks as NTLM authentication events because the outsider’s computer isn’t a member of your domain or a trusted domain.

How NTLM Works

NTLM is a challenge/response protocol shown in the diagram below. When a user attempts to log on to a workstation, the computer contacts the DC to request authentication of the user. The DC generates a random string of bytes, known as the challenge, and sends it to the workstation. The workstation hashes the password that the user entered, then encrypts the challenge, using the password as the key. The workstation then sends the encrypted challenge, called the response, back to the DC. The DC encrypts its copy of the original challenge and compares it to the response from the workstation. If the challenge and response match, then the encryption keys are the same, and the DC infers that the user correctly entered the password.

As you can see, NTLM never sends the password or the hash across the network. However, attackers who can capture the challenge/response packets might be able to crack the information back to the original password because of weaknesses associated with NTLM’s backward-compatibility support with ancient LanManager technology. An attacker might use this backward-compatibility to crack passwords even when NTLM is used.

NTLM Events

Windows logs event ID 4776 (see example below) for NTLM authentication activity (both Success and Failure). Earlier versions of Windows Server log different event IDs. Windows 2000 logs two event IDs—680 and 681—for all types of NTLM authentication activity. A successful NTLM authentication yields event ID 680; a failure produces event ID 681. (Windows 2003 merges these two events into event ID 680.)

The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: WIN-R9H529RIO4Y
Error Code: 0x0

An NTLM event description's Logon Account field lists the name of the user account that attempted the authentication. The Source Workstation field provides the name reported by the computer on which the user is present. In the case of non-Windows systems (e.g., Apple computers), the Source Workstation field might contain a domain name instead of workstation name.

To determine why an authentication attempt failed, look at the description's Error Code field. NTLM provides very specific error codes listed in the chart below. You might be surprised when you compare these codes to Kerberos failures, which are far less specific because of the Request for Comments (RFC) 1510 Kerberos standard.

NTLM Error Code

Error Description

Comments

Decimal

Hexadecimal

3221225572

C0000064

user name does not exist

 

3221225578

C000006A

user name is correct but the password is wrong

 

3221226036

C0000234

user is currently locked out

 

3221225586

C0000072

account is currently disabled

 

3221225583

C000006F

user tried to logon outside his day of week or time of day restrictions

Logged only for domain accounts that are configured with logon-hour restrictions

3221225584

C0000070

workstation restriction

Logged only for domain accounts that are configured with workstation restrictions

3221225875

C0000193

account expiration

Logged only for domain accounts that are configured with an account expiration

3221225585

C0000071

expired password

 

3221226020

C0000224

user is required to change password at next logon

Usually logged the first time a user logs on after the account is created or after the password is reset

3221226021

C0000225

Evidently a bug in Windows and not a risk

0

0x0

A successful authentication rather than an error

NTLM yields an Account Logon event whenever a user logs on to a computer, either interactively or over the network as you can see in the diagram below.

For instance, imagine that Bob uses a domain account to log on to his Windows NT workstation, then uses a shared folder on Server A and one on Server B. On whichever DC handles those authentication requests, you’ll see a total of three event ID 4776 instances: one for the interactive workstation logon and two for the network logons to Server A and Server. However, you won’t be able to discern that Bob accessed three systems; the events will be identical except for the date and time stamp.

On DCs, NTLM authentication events give you a record of all logon attempts that used domain accounts and that were serviced by the NTLM authentication protocol. You will also see NTLM events on member servers and workstations.

When someone attempts to use a local SAM account to log on to a Windows computer, NTLM always handles the authentication. Therefore, successful event ID 4776 instances on a workstation or member server are a clear indicator that some user, service, or scheduled task successfully logged on by using a local account. Failed event ID 4776 instances on a workstation or member server indicate that some user, service, or scheduled task attempted but failed to log on by using a local account. (You can determine the logon type from the related Logon/Logoff event, which we’ll consider in the next chapter.) If your environment encourages the use of domain accounts and avoids the use of local accounts, then enabling the Audit account logon events policy on workstations and member servers is an easy way to identify the improper use of local accounts.

Kerberos Basics

Although tracking NTLM authentication is important, don’t forget about Kerberos authentication, which will likely represent the bulk of authentication activity in your DC Security logs. Kerberos is the default authentication protocol for Windows 2000 and later computers in an AD domain. To understand Kerberos events, you'll benefit from understanding the basic functioning of the Kerberos protocol.

Kerberos uses the concept of tickets. A ticket is a small amount of encrypted, session-specific data that is issued by the DC. When a client needs to access a server on the network, the client first obtains a ticket from the server's DC. The ticket and other data supplied by the client vouch for the client’s identity and provide a way for the client to authenticate the server. In this way, Kerberos provides mutual authentication of both client and server. Using timestamps and other techniques, Kerberos protects tickets from cracking or replay attacks by eavesdroppers on the network.

The two kinds of tickets are authentication tickets (aka ticket-granting tickets) and service tickets. Kerberos issues an authentication ticket when a client first authenticates itself to the DC. The DC sends back the authentication ticket and a session key that’s been encrypted with the client’s personal key (in this case, the user’s password). The client uses its personal key to decrypt the session key. Then the client uses its authentication ticket and session key to obtain a service ticket for each server that it needs to access.

In UNIX-based Kerberos implementations, Kerberos simply issues an authentication ticket, without checking the user’s credentials. If the user’s computer can successfully decrypt the session key that comes with the authentication ticket, then the user is authentic. If the client is an impostor, it won’t be able to obtain the session key. Therefore, UNIX Kerberos implementations don’t immediately detect failed logons that happen because of a bad password. However, Windows takes advantage of an optional Kerberos feature called pre-authentication. Using pre-authentication, the DC checks the user’s credentials before issuing the authentication ticket.

Kerberos and the Windows Security Log

Windows generates Security log events at each step of the Kerberos authentication process, so by knowing how to relate general Kerberos events to user activity in the real world, you can closely monitor domain logon activity and pinpoint suspicious events. Let’s look at how a user’s actions relate to Kerberos events.

Imagine that Fred walks into his office one morning, turns on his Windows XP computer, and enters his domain username and password. Fred’s workstation sends an authentication request, via Kerberos, to the DC.

When Fred enters a correct username and password, the DC logs a successful event ID 4768 as you can see below. (A Kerberos authentication ticket (TGT) was requested. When you see an event ID 4768 instance that lists Fred as the account name in the event’s description, you can interpret the event as Fred’s initial logon at his workstation. You can even identify his workstation by using the Client Address field. All Kerberos events include this field, which identifies the client computer's IP address. The Supplied Realm Name field, which identifies the user account's domain (e.g., ACME), is also useful. (Other Kerberos events identity the domain as User Domain or prefix the username with the domain–e.g., ACME\Fred.)

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/28/2008 6:17:28 PM
Event ID: 4768
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Success
User: N/A
Computer: Lab2008.acme.ru
Description:
A Kerberos authentication ticket (TGT) was requested.

Account Information:
                Account Name:                 Fred
                Supplied Realm Name:      ACME
                User ID:                          ACME\Fred

Service Information:
                Service Name:                  krbtgt
                Service ID:                      ACME\krbtgt
 
Network Information:
                Client Address:                 ::1
                Client Port:                      0
 
Additional Information:
                Ticket Options:                 0x40810010
                Result Code:                    0x0
                Ticket Encryption Type:     0x17
                Pre-Authentication Type:    2
 
Certificate Information:
                Certificate Issuer Name:                    
                Certificate Serial Number:
                Certificate Thumbprint:                      
 
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

But what if Fred enters a bad password? In this case, Kerberos pre-authentication catches the problem at the DC, and Windows logs event ID 4771 (Kerberos pre-authentication failed), with Failure Code 0x18 in the Failure Code field as you can see in the example below.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/27/2008 5:47:55 PM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Lab2008.acme.ru
Description:
Kerberos pre-authentication failed.

Account Information:
                Security ID:                     S-1-5-21-3574173841-1192904138-508017755-1000br />                 Account Name:                Fred

Service Information:
                Service Name:                  krbtgt/ACME

Network Information:
                Client Address:                 ::1
                Client Port:                      0
 
Additional Information:
                Ticket Options:                 0x40810010
                Failure Code:                    0x18
                Ticket Encryption Type:     0x17
                Pre-Authentication Type:    2
 
Certificate Information:
                Certificate Issuer Name:                    
                Certificate Serial Number:
                Certificate Thumbprint:                      
 
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

After obtaining a TGT, the workstation attempts to obtain a service ticket from the DC. Windows reports a successful attempt as event ID 4769 (A Kerberos service ticket was requested) with a Service Name of “krbtgt". You’ll always see this instance of event ID 4769, which you can ignore, after an instance of event ID 4768.

The workstation next must obtain a service ticket for itself (i.e., a service ticket that authenticates Fred to his workstation and allows him to log on). This event shows up as another instance of event ID 4769. The Service Name field in event ID 4769 identifies the service for which the ticket was granted—in this case, the workstation’s name. This instance of event ID 4769 is useful because it identifies the workstation by name; the earlier instance of event ID 4768 provided only the workstation's IP address.

That isn’t the end of event ID 4769. You’ll see additional instances for each server that Fred accesses after logging on to his workstation. Imagine that Fred’s logon script or persistent drive mappings initiate connections to a MktgFiles shared folder on a Lab2008 server. The DC will log event ID 4769 when Fred’s workstation obtains a service ticket to Lab2008 as shown below.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/28/2008 6:17:21 PM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Success
User: N/A
Computer: Lab2008.acme.ru
Description:
A Kerberos service ticket was requested.

Account Information:
                Account Name:                 LAB2008$@ACME.RU
                Account Domain:              ACME
                Logon GUID:                    {0530ceb1-de6d-35ca-57b5-17c2e85b3439}

Service Information:
                Service Name:                  LAB2008$
                Service ID:                      ACME\LAB2008$
 
Network Information:
                Client Address:                 ::1
                Client Port:                      0
 
Additional Information:
                Ticket Options:                 0x40810010
                Ticket Encryption Type:     0x12
                Failure Code:                    0x0
                Transited Services:    -
 

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.

To recap, when Fred logs on at his workstation for the first time that day, the DC that handles the logon will log event ID 4768, closely followed by three instances of event ID 4769 like the diagram shows below. One instance lists “krbtgt” as the service and can be ignored. The second instance lists the DC as the service, and the third instance identifies Fred’s workstation’s name.

Additional event ID 4769 instances are logged as Fred accesses other servers.

Now you know which event that Windows logs when a user enters a bad password (event ID 4768 with failure code 0x18), but what about all the other reasons for which a logon can fail, such as an expired password or disabled account? Windows Server catches all of these other logon failures after pre-authentication and logs event ID 4769 (A Kerberos service ticket was requested. (failure)). Again, you need to look at the failure code to determine the problem. The list of various failure codes are in the chart below. (Because the Kerberos protocol was developed apart from a specific operating system, its failure codes do not always directly map to Windows authentication failure descriptions. Kerberos reports the same code for failures that occur because an account is disabled, expired, or locked out.)

Failure code

Kerberos RFC description

Notes on common failure codes

Decimal

Hexadecimal

1

0x1

Client's entry in database has expired

 

2

0x2

Server's entry in database has expired

 

3

0x3

Requested protocol version # not supported

 

4

0x4

Client's key encrypted in old master key

 

5

0x5

Server's key encrypted in old master key

 

6

0x6

Client not found in Kerberos database

Bad username, or new computer/user account that has not replicated to DC yet

7

0x7

Server not found in Kerberos database

 New computer account that has not replicated yet or computer is pre-Windows 2000

8

0x8

Multiple principal entries in database

 

9

0x9

The client or server has a null key

 Administrator should reset the password on the account

10

0xA

Ticket not eligible for postdating

 

11

0xB

Requested start time is later than end time

 

12

0xC

KDC policy rejects request

Workstation/logon time restriction

13

0xD

KDC cannot accommodate requested option

 

14

0xE

KDC has no support for encryption type

 

15

0xF

KDC has no support for checksum type

 

16

0x10

KDC has no support for padata type

 

17

0x11

KDC has no support for transited type

 

18

0x12

Clients credentials have been revoked

Account disabled, expired, or locked out

19

0x13

Credentials for server have been revoked

 

20

0x14

TGT has been revoked

 

21

0x15

Client not yet valid - try again later

 

22

0x16

Server not yet valid - try again later

 

23

0x17

Password has expired

The user’s password has expired

24

0x18

Pre-authentication information was invalid

Usually means bad password

25

0x19

Additional pre-authentication required*

 

31

0x1F

Integrity check on decrypted field failed

 

32

0x20

Ticket expired

Frequently logged by computer accounts

33

0x21

Ticket not yet valid

 

33

0x21

Ticket not yet valid

 

34

0x22

Request is a replay

 

35

0x23

The ticket isn't for us

 

36

0x24

Ticket and authenticator don't match

 

37

0x25

Clock skew too great

Workstation’s clock too far out of sync with the DC’s

38

0x26

Incorrect net address

 IP address change

39

0x27

Protocol version mismatch

 

40

0x28

Invalid msg type

 

41

0x29

Message stream modified

 

42

0x2A

Message out of order

 

44

0x2C

Specified version of key is not available

 

45

0x2D

Service key not available

 

46

0x2E

Mutual authentication failed

 May be a memory allocation failure

47

0x2F

Incorrect message direction

 

48

0x30

Alternative authentication method required*

 

49

0x31

Incorrect sequence number in message

 

50

0x32

Inappropriate type of checksum in message

 

60

0x3C

Generic error (description in e-text)

 

61

0x3D

Field is too long for this implementation

 

Windows doesn’t log event ID 4772, even though it is defined. (It seems that many of the Windows events were defined before the operating system development was finished and are simply not used.) Instead, Windows reuses event ID 4769, changing the type to Failure Audit instead of Success Audit.

Computer Account–Related Kerberos Events

To support Windows infrastructure features such as AD, Group Policy, and Dynamic DNS updates, workstations and servers must communicate frequently with the DC. This communication begins when a computer boots up. Each system that boots up obtains a TGT from the DC, followed by service tickets to krbtgt and the DC. These communications result in a 4768, 4769, 4769 event ID pattern.

Windows logs many Kerberos events that most people consider extraneous and that you can simply ignore. The events are a result of computers authenticating to the DC. You can identify such computer-to-computer authentication events because the listed username will be a computer instead of a user. Computer account names are easily recognizable because they have a $ appended to the name (e.g., FS2$).

You will also see plenty of occurrences of event ID 4769, resulting from ticket expirations. When a computer remains up for an extended period of time, its service ticket reaches the lifetime limit imposed by the domain's Kerberos policy. When that happens, the computer attempts to renew the ticket. When the renewal succeeds, the DC logs event ID 4770. When the ticket has reached its maximum renewal lifetime, the renewal fails and the DC logs event ID 4769. This forces the computer to re-authenticate to the DC and obtain a TGT all over again, thus causing a repeat of the event sequence that is logged when a computer first starts. Ticket expiration is a natural part of Kerberos activity and can be ignored.

Description Fields

Windows is not always consistent with the description fields you find in Kerberos events. Kerberos events always identify the name and domain attempting authentication, but the information can be formatted several different ways, depending on the event and the way it is viewed. For example, the same event lists “TargetUserName” in the Details tab and “Account Name” on the General tab. This is the same piece of information. The Client Address field is valuable because you can use it to determine the source IP address for authentication requests. I’ve used this field for a variety of purposes, including tracing logon attacks back to their source on the Internet. Some fields that don’t appear to have much (if any) value are Ticket Options, Ticket Encryption Type, and Pre-Authentication Type. These fields always seem to list the same undocumented values.

Final Thoughts on Kerberos

You can use Windows Kerberos events, as tracked in event ID 4668 and event ID 4669, to identify a user’s initial logon at the workstation and to then track each server that the user subsequently accesses. See the above chart for a complete listing of Windows Kerberos events. You can use event ID 4671 and failed event ID 4668 to track failed authentication events. Keep in mind that authentication events that are logged on DCs (whether Kerberos or NTLM) don’t include logoff events. DCs perform authentication services but do not record Logon/Logoff activity for the workstations and servers. Each workstation and server keeps track of who remains logged on. To track logoff events, you must analyze the local Security log of the desired workstation or server, looking for Logon/Logoff events like the ones listed below.

Event ID

Task Category

Title

Comment

4768

Kerberos Authentication Service

A Kerberos authentication ticket (TGT) was requested

Success or failure

4769

Kerberos Service Ticket Operations

A Kerberos service ticket was requested

Success or failure

4770

Kerberos Service Ticket Operations

A Kerberos service ticket was renewed

 

4771

Kerberos Authentication Service

Kerberos pre-authentication failed.

 

4772

Kerberos Authentication Service

A Kerberos authentication ticket request failed

We have not seen this event.

4773

Kerberos Service Ticket Operations

A Kerberos service ticket request failed.

Not used; event 4769 failure used instead

4774

Other Account Logon Events

An account was mapped for logon.

We have not seen this event

4775

Other Account Logon Events

An account could not be mapped for logon.

We have not seen this event

4776

Credential Validation

The domain controller attempted to validate the credentials for an account.

NTLM authentication. Not necessarily a DC. May be any Windows server.

4777

Other Account Logon Events

The domain controller failed to validate the credentials for an account

We have not seen this event

4782

Other Account Logon Events

The password hash an account was accessed

We have not seen this event

Bottom Line

To sum things up, let’s look at each authentication—in other words, each Account Logon—event that is documented in the Windows manifest. You will notice that a number of the events are apparently not logged. We suspect that during development, Microsoft dropped plans to use some events. For the most recent information on any event ID in the Windows Security log, refer to the Security Log Encyclopedia at www.ultimatewindowssecurity.com.

Next Chapter

Back to top

Supercharger Enterprise


 

 

Upcoming Webinars
    Additional Resources