RE: [logs] XP logon/logoff failure audit

From: Eric Fitzgerald (ericfat_private)
Date: Mon Apr 22 2002 - 16:53:49 PDT

Next message: Tina Bird: "[logs] [ESA-20020423-009] webalizer contains a potentially exploitable buffer overflow (fwd)"

Previous message: Wright, Joseph G (Gregory), SOLCM: "RE: [logs] BEEP: tcp based async message passing protocol/framework"
Maybe in reply to: Steve Wray: "[logs] XP logon/logoff failure audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Steve,

There are no other workarounds- the Welcome Screen causes these audits,
so if you don't want them you shouldn't use the Welcome Screen.

This issue is improved in Service Pack 1 for Windows XP.  Instead of
testing every account with a blank password when the welcome screen is
invoked, an account is only tested with a blank password when it is
selected.  This will still result in a single logon failure audit being
generated whenever you select an account with a non-blank password.

Service Pack 1 is due out in the next couple of months, but I don't have
a specific schedule.

Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation

-----Original Message-----
From: Steve Wray [mailto:steve.wrayat_private] 
Sent: Friday, April 19, 2002 5:08 PM
To: loganalysisat_private
Subject: [logs] XP logon/logoff failure audit

Interesting feature in windows XP pro.
Maybe someone knows how I can control it?
:)

If you allow the "welcome" logon screen,
and you audit logon failures,
XP generates an ongoing stream of logon failures.

As I understand it, this is because XP displays
users with no passwords differently on the
welcome screen. It therefore needs to test each
account to see if it needs a password.
It does this repeatedly and generates a stream
of logon failures.

This issue is detailed here;
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q305822

Microsofts suggested fix is surprising;
turn off the welcome screen or turn off logon auditing.

The welcome screen is highly desirable; for example, most
NT sysadmins I have known have their own login in the
Administrators group, so that they can perform admin
functions without having to log off and log on as
Administrator.

The welcome screen (& user switching) allows one to
operate with normal user priviledge and switch to
Administrator as needed.

Auditing logon failures is also desirable.

Has anyone come across any workarounds? Event viewer
has a filter function that I've been fooling with
but I'm unsure how to filter *just* these 'limited'
logins. Suggestions would be a service to humanity!
8-)




---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Tina Bird: "[logs] [ESA-20020423-009] webalizer contains a potentially exploitable buffer overflow (fwd)"
Previous message: Wright, Joseph G (Gregory), SOLCM: "RE: [logs] BEEP: tcp based async message passing protocol/framework"
Maybe in reply to: Steve Wray: "[logs] XP logon/logoff failure audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 17:02:25 PDT