Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Windows event ID 4740 - A user account was locked out.

Introduction

Windows lets you set an account lockout threshold to define the number of times a user can attempt to log on with an invalid password before their account is locked. You can also define the amount of time an account stays locked out with the account lockout duration setting. These account lockout policies help defend your network against password guessing attempts and potential brute-force attacks. However, strict policies could mean that users have fewer attempts to recall passwords, leading them to get locked out of their accounts more often.

Windows generates two types of events related to account lockouts. Event ID 4740 is generated on domain controllers, Windows servers, and workstations every time an account gets locked out. Event ID 4767 is generated every time an account is unlocked. In this guide, we're going to focus on event ID 4740.

Event ID 4740 - Event properties

Event ID 4740 - Event properties

Event ID 4740 - Details tab

Event ID 4740 - Details tab

identify account lockout reason

Event fields and reasons to monitor them

Let's break this event's properties down by Subject, Account That Was Locked Out, and Additional Information, as shown on the General tab (Fig. 1).

Subject:

Security ID: The SID of the account that performed the lockout operation.

Because event ID 4740 is usually triggered by the SYSTEM account, we recommend that you monitor this event and report it whenever Subject\Security ID is not "SYSTEM."

Account Name: The name of the account that performed the lockout operation.

Account Domain: The domain or computer name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.

For well-known security principals this field is "NT AUTHORITY," and for local user accounts this field will contain the computer name that this account belongs to.

Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4625).

Account That Was Locked Out:

Security ID: The SID of the account that was locked out. Windows tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Account Name: The name of the account that was locked out.

Monitor for all 4740 events where Account Name corresponds to a specific list of high-value accounts like CXOs and IT admins. Also audit this event for accounts that are monitored for every change.

Additional Information:

Caller Computer Name: The name of the computer account (e.g. JOHN-WS12R2) from which the logon attempt was generated.

Monitor Caller Computer Name for authentication attempts from user accounts that should not be used from specific endpoints, as well as computers that don't belong to your network.

The need for a third-party tool

1. 24/7, real-time monitoring:

Although you can attach a task to the security log and ask Windows to send you an email, you are limited to getting an email when event ID 4740 is generated, and Windows lacks the ability to apply more granular filters.

For example, Windows can send you an email when event ID 4740 is generated, but it will not be able to only notify you when high-value accounts get locked out, or if a logon request comes from an unauthorized endpoint. Getting specific alerts reduces the chance of you missing out on critical notifications amongst a heap of false-positive alerts.

With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can get notified in real time via SMS, too.

2. User and entity behavior analytics (UEBA):

Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.

3. Compliance-ready reports:

Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR, with out-of-the-box compliance reports.

True turnkey - it doesn't get simpler than this

Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.

Try it now for free!

 

The 8 Most
Critical Windows
Security Event IDs

Thank you for your interest!

Click this link to access the guide.

  •  
  • By clicking 'Download free guide' you agree to processing of personal data according to the Privacy Policy.
 
 
 
 

ADAudit Plus Trusted By