unable to see logon type 2 even for interactive logon

rahul dhiman 0 Reputation points
2023-05-30T04:48:08.4766667+00:00

I am getting event ID 4624 and 4625 both but instead of seeing logon type 2 i am only seeing logon type 3.

I tried simulating it so many times but no luck so far.

Can someone suggest me what could be the cause. My goal is to track failed login from user so that i can find bruteforce attempts but logon type 3 events are so high and as i cannot see logon type 2 i am not able to detect actual logon event.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,216 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Khaled Elsayed Mohamed 1,260 Reputation points
    2023-05-30T08:34:01.9066667+00:00

    Hi Rahul

    If you are consistently receiving Event ID 4624 (Successful Logon) and Event ID 4625 (Failed Logon) in Active Directory, but you are only seeing Logon Type 3 (Network) and not Logon Type 2 (Interactive), it could indicate a few possible causes:

    1. Remote Desktop Services (RDP) or Terminal Services: Logon Type 3 (Network) is commonly associated with remote logons, such as using Remote Desktop or Terminal Services to access a machine. If your environment heavily relies on remote access, it is expected to see a high number of Logon Type 3 events. In this case, the absence of Logon Type 2 events may be because most logons are occurring remotely.
    2. Network-based authentication protocols: Certain authentication protocols, such as Kerberos, negotiate authentication using network-based methods. This can result in Logon Type 3 events. If your systems predominantly use network-based authentication protocols, you may see a higher occurrence of Logon Type 3 events.
    3. Service accounts and automated processes: Logon Type 3 events can also be generated by service accounts or automated processes that authenticate across the network. If you have services or scheduled tasks running under service accounts, they can contribute to the Logon Type 3 events.

    To effectively track and identify failed login attempts and potential brute force attacks, consider the following approaches:

    1. Enable and analyze Security Event Log: Ensure that the Security Event Log is properly configured to capture relevant logon events. Monitor Event ID 4625 (Failed Logon) and review the associated Account Name, Source Network Address, and Failure Reason codes to identify potential brute force attempts.
    2. Implement an Intrusion Detection System (IDS): Deploying an IDS or SIEM (Security Information and Event Management) solution can provide advanced logging and analysis capabilities. These systems can help detect and alert on anomalous login activity, including potential brute force attempts.
    3. Enable Account Lockout Policies: Implement account lockout policies to automatically lock user accounts after a specified number of failed login attempts. This helps mitigate the impact of brute force attacks by limiting the number of consecutive login attempts.
    4. Monitor and analyze network traffic: Consider using network monitoring tools to analyze incoming network traffic and identify patterns of repeated login attempts originating from specific IP addresses. This can help detect potential brute force attacks.

    By combining these strategies, you can enhance your ability to detect and respond to failed login attempts and potential brute force attacks effectively.