When the credentials are submitted for a user account logon request, audit events are generated by the operating system which is determined by the Audit Credential Validation.
The events occur as follow:
- Domain Controller has the authorization for Domain Accounts
- Local Computer has the authorization for Local Accounts
As in an enterprise environment, domain accounts are used more often than local accounts so
most of the user logon requests are in the Domain Environment for which Domain Controllers have the authorization. So, the event volume is high on Domain Controllers and low on member servers and workstations.
Events for Audit Credential Validation are listed below:
| Event | State | Description |
| 4774 | Success, Failure | An account was mapped for logon |
| 4775 | Failure | An account could not be mapped for logon |
| 4776 | Success, Failure | A computer attempted to validate the credentials for an account |
| 4777 | Failure | Domain Controller failed to validate the credentials for an account |
Most of the account logon events occur in the Security log of the Domain Controllers, also, these events can occur on the local computers when logon requests from local accounts are received. This policy is used for NTLM authentication in the domain. Monitoring Unsuccessful Attempts, Finding Brute Force Attacks, Account Enumeration, and Potential Account Compromise Events on DC's can be achieved by enabling this group policy (Audit Settings).
Vulnerability:
Forensic Analysts might not be able to detect or gather enough evidence of a security incident if audit settings are not configured or if they are so lenient on the computers in your organization. In the Security log, critically important entries can be mantled by meaningless entries if the audit settings are too severe and the performance of the computer and the available data storage can be seriously affected. It is obligatory to log certain events and activities by companies that operate in certain regulated industries.
Security Recommendations:
The recommended configuration can be manifested through Group Policy. For this purpose, confirm that the below-mentioned UI path is set as prescribed.
Policy Path:
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential Validation
Set the above-mentioned UI path to Success and Failure to establish the recommended configuration via Group Policy.
Default Value:
By default, the policy is set to Success.
Automate audit policies implementation:
By using hardening automation tools you’ll be able to easily implement your audit policies on your entire production. Hardening automation tools will help you implement the right policy on the right machine and will eliminate the risk of production downtime.
