![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 50%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
7,023 questions
Hi Rahul
If you are consistently receiving Event ID 4624 (Successful Logon) and Event ID 4625 (Failed Logon) in Active Directory, but you are only seeing Logon Type 3 (Network) and not Logon Type 2 (Interactive), it could indicate a few possible causes:
- Remote Desktop Services (RDP) or Terminal Services: Logon Type 3 (Network) is commonly associated with remote logons, such as using Remote Desktop or Terminal Services to access a machine. If your environment heavily relies on remote access, it is expected to see a high number of Logon Type 3 events. In this case, the absence of Logon Type 2 events may be because most logons are occurring remotely.
- Network-based authentication protocols: Certain authentication protocols, such as Kerberos, negotiate authentication using network-based methods. This can result in Logon Type 3 events. If your systems predominantly use network-based authentication protocols, you may see a higher occurrence of Logon Type 3 events.
- Service accounts and automated processes: Logon Type 3 events can also be generated by service accounts or automated processes that authenticate across the network. If you have services or scheduled tasks running under service accounts, they can contribute to the Logon Type 3 events.
To effectively track and identify failed login attempts and potential brute force attacks, consider the following approaches:
- Enable and analyze Security Event Log: Ensure that the Security Event Log is properly configured to capture relevant logon events. Monitor Event ID 4625 (Failed Logon) and review the associated Account Name, Source Network Address, and Failure Reason codes to identify potential brute force attempts.
- Implement an Intrusion Detection System (IDS): Deploying an IDS or SIEM (Security Information and Event Management) solution can provide advanced logging and analysis capabilities. These systems can help detect and alert on anomalous login activity, including potential brute force attempts.
- Enable Account Lockout Policies: Implement account lockout policies to automatically lock user accounts after a specified number of failed login attempts. This helps mitigate the impact of brute force attacks by limiting the number of consecutive login attempts.
- Monitor and analyze network traffic: Consider using network monitoring tools to analyze incoming network traffic and identify patterns of repeated login attempts originating from specific IP addresses. This can help detect potential brute force attacks.
By combining these strategies, you can enhance your ability to detect and respond to failed login attempts and potential brute force attacks effectively.