Direct Inward Dialing: +1 408 916 9892
Event ID 4776 is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos. This event is also logged for logon attempts to the local SAM account in workstations and Windows servers, as NTLM is the default authentication mechanism for local logon.
If the credentials were successfully validated, the authenticating computer logs this event ID with the Result Code field equal to “0x0”.
If the authenticating computer fails to validate the credentials, the same event ID 4776 is logged but with the Result Code field not equal to “0x0”. (See all result codes.)
In the case of domain account logon attempts, the DC validates the credentials. That means event ID 4776 is recorded on the DC.
In the case of logon attempts with a local SAM account, the workstation or the member server validate the credentials. That means event ID 4776 is recorded on the local machines.
For Kerberos authentication, see event IDs 4768, 4769, and 4771.
Although Kerberos authentication is the preferred authentication method for Active Directory environments, some applications might still use NTLM.
Here are a few common cases where NTLM is used over Kerberos in a Windows environment:
Event ID 4776 - The DC attempted to validate the credentials for an account.
Authentication Package: This is always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0".
Logon Account: The name of the account that attempted a logon. The account can either be a user account, a computer account, or a well-known security principal (e.g. Everyone or Local System).
Source Workstation: The name of the computer the logon attempt originated from.
| Error code | Description |
|---|---|
| C0000064 | The username does not exist |
| C000006A | The username is correct but the password is wrong |
| C0000234 | The user is currently locked out |
| C0000072 | The account is currently disabled |
| C000006F | The user tried to log on outside their day-of-the-week or time-of-day restrictions |
| C0000070 | The user attempted to log on from a restricted workstation |
| C0000193 | The user tried to log on with an expired account |
| C0000071 | The user tried to log on with a stale password |
| C0000224 | The user is required to change their password at the next logon |
| C0000225 | Evidently a bug in Windows and not a risk |
As discussed above, NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks. Reducing and eliminating NTLM authentication from your environment forces Windows to use more secure protocols, such as the Kerberos version 5 protocol. However, this could cause several NTLM authentication requests to fail within the domain, decreasing productivity.
It’s recommended that you first audit your security log for instances of NTLM authentication and understand the NTLM traffic to your DCs, and then force Windows to restrict NTLM traffic and use more secure protocols.
Auditing solutions like ADAudit Plus offer real-time monitoring, user and entity behavior analytics, and reports; together these features help secure your AD environment.
Although you can attach a task to the security log and ask Windows to send you an email, you are limited to simply getting an email whenever event ID 4776 is generated. Windows also lacks the ability to apply more granular filters that are required to meet security recommendations.
With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can get notified in real time via SMS, too.
Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.
Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR, with out-of-the-box compliance reports.
Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.
Click this link to access the guide.
