How to Find the Source of Failed Logon Attempts

Failed logon attempts can indicate security risks such as unauthorized access attempts, incorrect credentials, or configuration errors. Identifying the source of these attempts is crucial for IT administrators to maintain network security and prevent breaches. This guide explains how to find the source of failed logon attempts in a Windows environment.

Why is it Important to Investigate Failed Logon Attempts?

1. Prevent Security Breaches: Frequent failed attempts may indicate a brute-force attack.
2. Identify Misconfigurations: Failed attempts might arise from misconfigured services or scripts.
3. Troubleshoot User Issues: Assist users facing account lockouts or incorrect credentials.

Steps to Find the Source of Failed Logon Attempts

1. Enable Audit Logs

Before investigating, ensure auditing for logon events is enabled:

1. Open Group Policy Editor (gpedit.msc).
2. Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
3. Enable the following policies:
   • Audit Logon Events (Success and Failure).
   • Audit Account Logon Events (Success and Failure).

2. Check Event Viewer Logs

Event Viewer is the primary tool for tracking failed logon attempts.

1. Open Event Viewer (eventvwr.msc).
2. Navigate to Windows Logs > Security.
3. Look for the following Event IDs related to logon failures:
   • Event ID 4625: Failed logon attempt.
   • Event ID 4776: NTLM authentication failure.
4. Analyze the event details:
   • Subject: Identifies the account involved.
   • Logon Type: Indicates the logon method (e.g., interactive, remote desktop).
   • Source Network Address: Displays the IP address or hostname of the source.

3. Use PowerShell to Search Logs

PowerShell provides a faster way to search logon events:

Get-EventLog -LogName Security | Where-Object { $_.EventID -eq 4625 } | Select-Object -Property TimeGenerated, Message

Alternatively, use the newer EventLog cmdlets:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message

4. Analyze Account Lockout Tools

For domain environments, use Microsoft’s Account Lockout and Management Tools to identify sources of failed logons. Tools like ALTools can trace account lockout issues efficiently.

5. Check Network Devices and Logs

If no clues are found in the Event Viewer:

• Examine logs on firewalls, VPN devices, or intrusion detection systems (IDS).

• Use the Netstat command to identify active connections:

  netstat -an | findstr "ESTABLISHED"
  

6. Identify Persistent Sources

Use the Account Lockout Status Tool (LockoutStatus.exe) to identify which machines are sending incorrect credentials repeatedly.

Common Scenarios and Fixes

1. User Input Error: Inform the user to recheck credentials.
2. Saved Credentials Issues: Clear saved passwords from the Credential Manager.
3. Service Account Misconfiguration: Update service credentials in the application or scheduled task.
4. Brute-Force Attacks: Block suspicious IP addresses and enforce account lockout policies.

Preventing Future Failed Logon Attempts

1. Enable Strong Password Policies: Require complex and regularly updated passwords.
2. Implement Multi-Factor Authentication (MFA): Add a layer of security to logins.
3. Monitor Logs Regularly: Automate log analysis with SIEM (Security Information and Event Management) tools.
4. Restrict Account Lockouts: Set thresholds for failed attempts to minimize disruptions.