Pages

2006/04/03

Resource Edition

Subscribe to Windows IT Pro: http://list.windowsitpro.com/t?ctl=25B54:610453

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add Security_UPDATE@list.windowsitpro.com to your list of allowed senders and contacts.

This extra monthly edition of Security UPDATE lets you know about resources and events that can help you keep your security knowledge and skills up to date and keep your Windows and other systems secure.

====================

==== Security Q&A ==== by Randy Franklin Smith, rsmith@ultimatewindowssecurity.com

Q: How can I distinguish between logon failures caused by disabled accounts, expired accounts, and locked-out accounts?

A: If your users' workstations use Kerberos to authenticate to your domain controller (DC), you won't be able to distinguish between the three logon-failure reasons you mention. The Account Logon Security log category logs Kerberos authentication failures with Request for Comments (RFC) 1510's standard Kerberos failure codes, which lack that kind of granularity. On Windows 2000 Server, event ID 676 records all three types of authentication failures under the same failure code: 18. On Windows Server 2003, failure-type event ID 672 replaces event ID 676. The Logon/Logoff Security log category isn't really any help either. Although the category does log a specific error code for each type of failure, Windows logs Logon/Logoff events where the logon occurs, not where the authentication takes place. Logon occurs on the workstation, which means that to find the logon failure reason, you'd have to track each Kerberos event ID 676 (Win2K) or failure-type event ID 672 (Windows 2003) with failure code 18 to the appropriate workstation and find the corresponding Logon/Logoff event on that workstation. If your user workstations are Win2K or later, they're authenticating via Kerberos. But pre-Win2K workstations authenticate via NT LAN Manager. NTLM authentication failures provide a different error code for each reason a logon might fail. Look for event ID 681 on Win2K DCs and for failure-type event ID 680 on Windows 2003 DCs, then check the error code in the event's description. For disabled accounts, the error code will be 3221225586; for expired accounts, 3221225875; and for locked-out accounts, 3221226036.

(This Security Q&A originally appeared in the Windows IT Security newsletter's Access Denied column.)

==== Security Resources ==== The following Security-related resources are brought to you by Windows IT Pro. For additional resources and information, visit http://list.windowsitpro.com/t?ctl=25B57:610453

Understand and Leverage SSL-TLS for Secure Communications Get all you need to know about today's most popular security protocols for secure Web-based communications http://list.windowsitpro.com/t?ctl=25B52:610453

How much are you spending on IT compliance? Streamline and automate the compliance life cycle with this FREE white paper, and reduce your costs today! http://list.windowsitpro.com/t?ctl=25B51:610453

====================

==== Contact Us ====

About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=25B56:610453 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com

====================

This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=25B53:610453

Manage Your Account You are subscribed as news-and-stuff@arconati.us

You received this email message because you subscribed to the Security UPDATE newsletter on the Windows IT Pro Web site. To unsubscribe to Security UPDATE, click the link below. http://list.windowsitpro.com/u?id=28351AE7DCFB1F6C5AB21AAD5FD20B1F

View the Windows IT Pro Privacy policy at http://list.windowsitpro.com/t?ctl=25B55:610453 Windows IT Pro is a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All Rights Reserved.

No comments:

Post a Comment

Keep a civil tongue.