How to Find the Source of Failed Logon Attempts

When there are failed logon attempts, it can signal potential security threats like unauthorized access, wrong credentials or even configuration mistakes. For IT administrators, identifying where these attempts are coming from is essential to keep the network secure and avoid any breaches.

This guide will walk you through how to track down the source of failed logon attempts in a Windows environment.

Why is it Important to analyse the Failed Logon Attempts?

1. Prevent Security Breaches: A high number of failed attempts could mean someone is trying to break in using brute-force methods.
2. Identify Misconfigurations: Sometimes, these failed attempts are just the result of services or scripts that aren’t set up correctly.
3. Troubleshoot User Issues: This can help users who are dealing with account lockouts or entering the wrong credentials.

Steps to Check the Source of Failed Logon Attempts

1. Enable Audit Logs

Before diving into the investigation, make sure that auditing for logon events is turned on:

1. Open the Group Policy Editor (just type gpedit.msc).
2. Please navigate to the Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff. 
3. Turn on these policies:
   1. Audit Logon Events (both Success and Failure).
   2. Audit Account Logon Events (both Success and Failure).

2. Check Event Viewer Logs

Event Viewer is your go-to tool for tracking those failed logon attempts.

1. Launch Event Viewer (you can find it by typing eventvwr.msc).
2. Navigate to Windows Logs > Security.
3. Look for these Event IDs that are linked to logon failures:
   • Event ID 4625: This one indicates a failed logon attempt.
   • Event ID 4776: This points to an NTLM authentication failure.
4.  Take a closer look at the event details:
   • Subject: This tells you which account was involved.
   • Logon Type: This shows the logon method (like interactive or remote desktop).
   • Source Network Address: This shows the IP address or hostname of the source.

3. Use PowerShell to Search Logs

PowerShell can speed up your search for logon events:

• You can run this command:
  • Get-EventLog -LogName Security | Where-Object { $_.EventID -eq 4625 } | Select-Object -Property TimeGenerated, Message
• Or, if you prefer the newer EventLog cmdlets, try this:
  • Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message

4. Analyze Account Lockout Tools

If you're in a domain environment, check out Microsoft’s Account Lockout and Management Tools to pinpoint the sources of those failed logons. Tools like ALTools can help you trace account lockout issues effectively.

5. Check Network Devices and Logs

If you’re still coming up empty in the Event Viewer:

• Take a look at the logs on your firewalls, VPN devices, or intrusion detection systems (IDS).
• You can also use the Netstat command to find active connections:
  • netstat -an | findstr "ESTABLISHED"

6. Identify Persistent Sources

Utilize the Account Lockout Status Tool (LockoutStatus.exe) to pinpoint which machines are repeatedly sending incorrect credentials.

Common Scenarios and Fixes

1. User Input Error: Remind the user to double-check their credentials.
2. Saved Credentials Issues: Clear out saved passwords from the Credential Manager.
3. Service Account Misconfiguration: Make sure to update the service credentials in the application or scheduled task.
4. Brute-Force Attacks: Block any suspicious IP addresses and enforce account lockout policies.

Preventing Future Failed Logon Attempts

1. Enable Strong Password Policies: Require users to create complex passwords that are updated regularly.
2. Implement Multi-Factor Authentication (MFA): This MFA configuration will help to add an extra layer of security for logins.
3. Monitor Logs Regularly: Use SIEM (Security Information and Event Management) tools to automate log analysis.
4. Restrict Account Lockouts: Set limits on failed login attempts to reduce disruptions.