User machines, servers, network storage devices, and data center systems all comprise huge volumes of data and information, most of which are business critical. Who should or shouldn’t have access to a resource is decided by organizational policies and is attained in most organizations with the help of Microsoft Active Directory services. Active Directory (AD) helps system administrators to centrally manage all objects available in the network and their attributes. With an AD installation in the network, it is a cinch setting up the rules and permissions for access without disturbing the users. But your job as a system admin does not end with setting up an Active Directory service in the organization. You also should monitor it and make sure that everything is operational. Some of the usual parameters that are monitored in an AD environment are:
• Server Stats to keep a check on the performance of Active Directory server.
• LDAP (Lightweight Directory Access Protocol) activities which help detect if hardware or network-related problems are hindering client requests.
• Processor Queue Length that indicates whether a system is able to handle requests and also provides a rough indicator of the number of threads serviced.
• Active Directory Domain Services (AD DS) which is responsible for authentication, user logon processes and so on. Users will be unable to log on to the network if this process is disabled.
But there is also another essential metric that should be monitored – the number of failed logins happening on a Domain Controller. Before we go into why monitoring failed logins is important, let us look at the basic AD authentication mechanism.
Authentication involves a Client and Domain Controller (DC). Domain Controller is a server that replies to authentication requests from a client in the network. The handling of authentication process by an AD differs based on success or failure.
Successfully authentication: When a user enters the username and password to a workstation, it validates the information with the data available on the domain controller. If the submitted information is matching, access to the resource is granted.
Failed authentication: When a user attempts a login to his or her resource and the authentication fails at the domain controller, status of the condition (such as wrong password, password expired, account locked, etc.) is sent to the Primary Domain Controller (PDC) emulator operations master. This is done to avoid failed logon situation where the regular DC replication has not yet occurred and password modification was done. If the authentication fails even at the PDC emulator operations master, it returns a badPwdCount (counter used for checking account lock) to the Domain Controller. Thus the Domain Controller will keep a tab on the count of failed logins and sends an access denied update to the user. Each failed attempt for the user will increment the count on badPwdCount attribute.
Observing failed logins on a Domain Controller helps to proactively monitor Security factors in an organization.
• You will never know when a rogue user tries to intrude into your resource by trying different combinations of username and password. So, when you see a number of failed logins on a client server with incorrect credentials (Event ID: 529) or detect an attempt to logon by repetition of a user’s credentials (Event ID: 553), you can sniff a rogue attack. Also, maintaining records of these failed logins and account lockout helps review their trend over time.
• Most banks and finance organizations maintain a time-based login for their employees. If you see login attempts or account locking happening outside the permitted hours, you need to check into it as soon as possible. Activity outside working hours might be intruders and if not given immediate attention, the intruder may find a way to access your resources that hold business critical information.
• Failed logins also help with tracking security violations, such as a user attempting to run a process they are not authorized to run or access a program they should not have access to. Examples are when a user tries to map a drive to their server, shut down the anti-virus on their machine or access a restricted program running on a common server. Such actions require admin privileges and the user may attempt various username and password combinations to gain access. Monitoring failed logins will inform you of any such attempts by users to access what they are not allowed to.
While it’s possible to monitor failed logins by viewing the event logs, this method does not allow for proactive response by the IT team. Worse, it’s tedious and therefore difficult to maintain ongoing vigilance. Fortunately, there are a number of solutions available which can monitor failed logins, allow historical reporting over time, and best of all, provide real-time alerts that keep sharp administrators ahead of security disasters. Server and Application Monitor systems collect systems stats and alert when thresholds are exceeded. User Device Trackers monitor Active Directory events in real time and map users to physical or logical ports. Log and Event Monitors examine user activity events across an organization and multiple applications, looking for that on critical needle in a haystack of activity. There’s never been a better time to consider monitoring solutions that can help with failed logins monitoring and keeping your Active Directory forest in top shape.