Share via

Group policy-Ensure Audit Credential Validation

Glenn Maxwell 12,876 Reputation points
2022-11-01T16:02:40.907+00:00

Hi All

Experts guide me in applying the below CIS benchmarks policy. i am using thirdparty vulnerability scanner.
Ensure 'Audit Credential Validation-->i have set the policy to Success and Failure and when i scan the VM still i dont see it is remediated. below information is provided by the scanner.

Solution
To establish the recommended configuration via GP, set the following UI path to Success and Failure:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential Validation

Default Value:

Success.

Information
This subcategory reports the results of validation tests on credentials submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative,
whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the
Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts
are used to log on. Events for this subcategory include:

4774: An account was mapped for logon.

4775: An account could not be mapped for logon.

4776: The Domain Controller attempted to validate the credentials for an account.

4777: The Domain Controller failed to validate the credentials for an account.

The recommended state for this setting is: Success and Failure.

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
Accepted answer
  1. Anonymous
    2022-11-11T04:11:06.827+00:00

    Hello GlennMaxwell-2309,

    Thank you for posting in our Q&A forum.

    Would you please tell us which machine you are using third party vulnerability scanner?

    These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative,
    whereas for local accounts, the local computer is authoritative.

    If you are on the Domain Controller, you can check whether the setting is set as Success and Failure within Default Domain Controller Policy manually.

    Or you can run the command on the DC to check whether "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential Validation" is set as Success and Failure.

    auditpol /get /category:*

    If you are on the one machine that is no DC, you can check whether the setting is set as Success and Failure by opening local group policy manually.

    By default, this setting is "Not Configured", this means on client it is "No Auditing", on server it is set as "Success".
    259336-audit.png

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ===============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.