Windows Logon Failure Investigation

Windows Logon Failure Investigation

The following Event ID's indicate that a logon failed:

Event ID 529 : Unknown user name or bad password

Event ID 530 : Logon time restriction violation

Event ID 531 : Account disabled

Event ID 532 : Account expired

Event ID 533 : Workstation restriction - not allowed to logon at this computer

Event ID 534 : Inadequate rights - as in user account attempting console login to server

Event ID 535 : Password expired

Event ID 536 : NetLogon service down

Event ID 537 : unexpected error - the who knows ??? factor

Event ID 539 : Logon Failure: Account locked out

Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password

Event ID 644 : User account Locked out

You should watch for events 529, 539 and 644. Event ID 529 entries can have various "Logon Types":

2 – Interactive - A user logged on to this computer at the console.
3 - Network - A user or computer logged on to this computer from the network.
4 - Batch - Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
5 - Service - A service was started by the Service Control Manager.
7 – Unlock - This workstation was unlocked.
8 - NetworkCleartext - A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9 – NewCredentials -A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 – RemoteInteractive - A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 – CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Event ID 529 will also have a process ID that can be used to find the program that passed on the logon attempt. Use the Task Manager (ctrl+alt+delete then select Task Manager, or if logged in remotely, Start / Windows Security) to lookup the name of the process, from the "Processes" tab, select View / Select Columns and check "PID (Process Identifier)" then click ok.

With Event ID 529, Logon Type 3, and a PID that turns out to be inetinfo.exe, the error was probably caused by an attempt to log in to the server via the remote web workspace, Outlook web access, etc... The web access log may have more information including the IP address of the attacker.

With Event ID 529, Logon Type 3, and a PID that turns out to be advapi it was(apparently) an attempt to log in via SMTP and relay email ^. The SMTP service can be set to log detailed events, which will include the IP address of the attacker.