Jump to content


Photo

Audit Status - Logon auditing is disabled


  • Please log in to reply
6 replies to this topic

#1 ddockter

ddockter

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 19 April 2018 - 04:08 PM

ALE is showing an audit status of "Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC.".  This has been working properly for quite some time.  I suspect it has something to do with installing a trial of Netwrix Auditor. That product is showing when an account gets locked out, but ALE is not. 


#2 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 14 posts

Posted 23 April 2018 - 09:51 AM

Hello,

 

Did you check this article: https://www.netwrix.com/kb/1571 ?

 

This might have to do with Advanced Audit Policy settings vs Basic ones. ALE is checking Basic settings while Netwrix Auditor by default configures Advanced: https://helpcenter.n.../AD_Manual.html

 

The best way to check if auditing is configured on the DC is running an elevated command prompt and executing the following command: auditpol /get /category:*

Note that your DC must be 2008 or newer to run this command.

 

However I still find it strange that ALE has stopped showing lockouts since it shouldn't really matter which policies are configured - the most important thing is that events are logged. Please check if Security Event logs on your DCs are logging the following event ids: https://www.netwrix.com/kb/1348

 

Hope this helps.

 

AndreyK



#3 ddockter

ddockter

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 24 April 2018 - 04:24 PM

Below are the results of auditpol /get /category:*.  

 

F:\>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           Failure
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure


#4 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 14 posts

Posted 24 April 2018 - 04:34 PM

ALE relies on events from the Account Management / User Account Management subcategory which is set to 'No Auditing' as per auditpol.

Please enable that subcategory (or the whole Account Management category) for Success on all DCs and see if it helps.

 

AndreyK



#5 ddockter

ddockter

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 24 April 2018 - 06:14 PM

Below is the audit policy now.  ALE is still showing the "Logon auditing is disabled" message.

 

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
F:\>gpupate /force
'gpupate' is not recognized as an internal or external command,
operable program or batch file.
 
F:\>gpupdate /force
Updating Policy...
 
User Policy update has completed successfully.
Computer Policy update has completed successfully.
 
 
F:\> auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           Failure
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Distribution Group Management           Success
  Application Group Management            Success
  Other Account Management Events         Success
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure
 
F:\> auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           Failure
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Distribution Group Management           Success
  Application Group Management            Success
  Other Account Management Events         Success
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure
 
F:\>


#6 ddockter

ddockter

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 24 April 2018 - 08:28 PM

I just got an Account Lockout email from ALE so this appears to be working despite the "Logon auditing is disabled" message still being present.



#7 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 14 posts

Posted 26 April 2018 - 12:18 PM

If you are confident that auditing is properly configued on your DCs (and your auditpol looks correct), you can disable audit checks in ALE which should remove the error message from the status bar. Please see the last section of https://www.netwrix.com/kb/1571






0 user(s) are reading this topic

0 members, guests, anonymous users