Audit Credential Validation

What is Audit Credential Validation?

Audit Credential Validation is an Advanced Security Audit Policy setting which enables the operating system to generate audit events on credentials submitted for a user logon request. It records events related to validation tests on user logon credentials.

Audit Credential Validation helps in monitoring account logon authentication events. It is particularly useful to identify failed logon attempts, that may indicate a brute-force attack or potential account compromise. The logs generated by this audit policy serve as an audit trial and aid in forensic analysis in the occurrence of a mishap.

How to enable Audit Credential Validation?

Launch Server Manager in your Windows Server instance.
Under Manage, select Group Policy Management and launch the Group Policy Management console.
Navigate to Forest ➔ Domain ➔ Your domain ➔ Domain Controllers.
Create a new GPO and link it to the domain containing the file to be monitored, or edit any existing GPO that is linked to the domain to open the Group Policy Management Editor.
Navigate to Computer Configuration ➔ Windows Settings ➔ Security Settings ➔ Advanced Audit Policy Configuration ➔ System Audit Policies - Local Group Policy ➔ Account Logon.
The Account Logon lists all of its sub-policies in the right panel, as shown in the figure below.
Select the Audit Credential Validation and enable audit for Success and Failure events.
Click Apply and OK to close Properties window.

View Credential Validation events in Event Viewer

In Event Viewer window, go to Windows Logs ➔ Security logs.
Click on Filter current log under Action in the right panel.
Search for the following Event IDs
- 4774 - An account was mapped for logon.
- 4775 - An account could not be mapped for logon.
- 4776 - The computer attempted to validate the credentials for an account.
- 4777 - The domain controller failed to validate the credentials for an account.
You can double-click on the events to view Event Properties.

These steps need to be repeated for all domain controllers and workstations to audit credential validation for domain accounts and local accounts respectively. Manually checking every event is time-consuming, inefficient and practically impossible for large organizations.

Native auditing becoming a little too much?

Simplify Credential Validation auditing and reporting with ADAudit Plus.

Get Your Free Trial

Fully functional 30-day trial

ADAudit Plus simplifies credential validation monitoring by offering predefined Credential Validation reports along with intuitive graphical representation of the same for the ease of comprehension. ADAudit Plus also provides you the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV).

Steps to Audit Credential Validation with ADAudit Plus

Once ADAudit Plus has been installed, it can automatically configure audit policies required for Active Directory auditing. To enable automatic configuration: Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

Credential Validation events can be monitored by following the steps below:

Login to ADAudit Plus.
Select the required Domain from the dropdown list.
Go to the Server Audit tab.
Navigate to Local Logon-Logoff.
Select the Credential Validation report.

This report helps in monitoring credential validations that take place during domain and local logons. You can use this report to ascertain if secure authentication protocols like Kerberos or NTLMv2 are being used.

About ADAudit Plus

ADAudit Plus comes bundled with more than 200 predefined reports that make AD auditing easier. The solution also sends real-time alerts for critical events and helps you to secure your network from threats, and boosts your IT security posture. Check out the capabilities of ADAudit Plus here.

More related links

✕
Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free