What is Audit Authentication?
Auditing is an important security component. Windows Server 2016 domain controllers and other servers log security-related events to the Security log, where you can monitor and identify issues that might warrant further investigation. Auditing can log successful activities to provide documentation of changes. It also can log failed and potentially malicious attempts to access enterprise resources.
Infrastructure Requirement :
- 1 DC SERVER (DC-CLOUD)
- 1 Client PC running Windows 10 (CLIENT-10)
Lets get started.
01 – Configuring Authentication-related Audit Policies
1 – Open Server Manager, click the Tools, and then click Group Policy Management.
2 – In the Group Policy Management Console, in the navigation pane, expand Forest:
Windows.aeDomainsWindows.aeGroup Policy Objects, and then Right-click the Default Domain Controllers Policy, and then click Edit.
3 – In the Group Policy Management Editor window, in the navigation pane, expand Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal Policies, and then click Audit Policy.
4 – In the details pane, double-click Audit account logon events, and then explain the following configuration options:
• If you select the Define these policy settings check box, the policy is applied.
• If you select Success, only success audits are logged.
• If you select Failure, only failure audits are logged.
Click Cancel to close the Audit account logon events Properties dialog box.
If multiple policies contain the setting, and it is defined differently, the success and failure options apply based on the last applied policy that defined those settings. If one policy defines success audits and another defines failure audits, they do not merge.
5 – Repeat In the Group Policy Management Editor window, in the navigation pane, navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy configurationAudit Policies, and then click Audit Policies.
6 – In the Audit Policies policy, show the ten main categories, and then click Account Logon.
7 – Show the four subcategories, and then double-click Audit Kerberos Authentication Service.
Show that the subcategory has the same settings as in the Audit Policy Audit Account Logon setting, and then explain that they are now on a more detailed level and allow a more selective auditing.
8 – Select Configure the following audit events, select Success, select Failure, and then click Apply.
Close the Audit Kerberos Authentication Service Properties dialog box, click OK.
9 – On DC-CLOUD, in the Right-Click Start, then click Command Prompt.
10 – Type gpupdate /force, and then press Enter.
Wait until the policy has been updated.
02 – Verify CLIENT Logon
1 – CLIENT-10, attempt to sign in as WindowsSifad with password sifad@123.
2 – You will get a message that the user name or password is incorrect. Click OK.
3 – Sign in as WindowsSifad with password asd@123.
Wait until the logon is finished and CLIENT-10 has started
03 – Viewing logon events
1 – Open Server Manager, click Tools, and then click Event Viewer.
2 – In Event Viewer, in the navigation pane, expand Windows Logs, and then click Security.
3 – In the details pane, locate the Event ID 4771, and then show that this event is an Audit Failure event. Show that this event was logged when WindowsSifad tried to sign in with the wrong password. Click Close.
4 – Locate the event with the Event ID 4768. Show that this is an Audit Success event. Show that this event was logged when WindowsSifad signed in successfully. Click Close.
Close Event Viewer
Jackson Thomas-Together We Make The Difference 