4

Is there any reliable way to monitor failed logon attempts on-the-fly in Windows XP? (well, Vista too for that matter). I need to monitor failed logon attempts programmatically which is currently accomplished with a simple GINA Stub by subclassing the Login dialog from MSGINA.

However, my current solution is not waterproof if there are other GINAs in the chain.

So my question is: Is there any (other) API I can rely on? Or do I have to roll out an entire GINA replacement DLL?

Jonas Engström
  • 141
  • 1
  • 4

4 Answers4

4

Microsoft ACS does this very well. It is a component of System Center Configuration manager. You can look at the logon failures from the DC perspective or from the client perspective depending on your specific needs.

There are MS Partner Solutions that also aid in this from the Management Pack side as well as the ACS reporting side.

Full Disclosure: I work for one of said MS Partners

Kevin Colby
  • 1,760
  • 10
  • 14
4

For a central solution, use one of the Windows syslog providers to forward security log entries to a central syslog aggregator. Watch for the right events and then take whatever actions you want after that. Same deal as in the UNIX world. Back in my Windows days we used NTsyslog on each host to feed the event log into a server running SL4NT. SL4NT is actually a pretty powerful syslog daemon and more fully featured than a lot of the UNIX versions. Both SL4NT and NTsyslog are very easy to setup.

diq
  • 710
  • 4
  • 9
  • You don't have to use syslog with an agent on each system, either. There are plenty log aggregators that are agentless. The key is to have enough agents to cover your environment. A lot of providers use an agent per 50 hosts or some similar #. – K. Brian Kelley May 28 '09 at 18:58
  • You're definitely right and that's a perfectly accepted approach. Personally, I prefer the push vs poll method. Plus, if you set it up for your workstations and servers, you can easily integrate your routers, firewalls, switches, etc. Most IDS solutions are just syslog and SEC wrapped up in a pretty package. – diq May 28 '09 at 19:29
  • One thing I also just realized is that an attacker could wipe the security event logs and hide his tracks after breaking into a system if you used a polling approach. This could be mitigated by very frequent polling, but if you're doing you might as well just push the events. – diq May 28 '09 at 19:33
2

Sadly, you can't use GINA for Vista. Vista uses Credential Providers.

Have you looked at parsing the Security Event Log? It's not pretty but it avoids mucking with GINA.

Alan
  • 530
  • 1
  • 5
  • 11
1

@Jonas: When you say "monitor failed log on attempts on-the-fly", do you mean you want something that reacts in real time to a failed log on? Or do you want to be able to run something that will tell you how many failed logons there has been, say, for a machine over a specific time period?

Chris
  • 945
  • 7
  • 17
  • I need to know this in real time as soon as I'm notified about the failed attempt. – Jonas Engström Jun 02 '09 at 10:44
  • So you are being notified by some other means? If so you can use the MS Log Parser tool via a script to check the server(s) logs remotely for the failure message(s). – Chris Jun 02 '09 at 12:00