Can you explain how to monitor failed logon attempts of Windows NT 4.0 domain accounts? Does NT 4.0 log events to the Security log? Will these events appear in the log of the workstation, the domain controller (DC), or both?
To monitor failed logon attempts, you must enable auditing for "logon and logoff" events in a domain's audit policy and in the local audit policy of every workstation or member server. An NT 4.0 workstation or member server that initiates the failed logon of a domain account will log a security event only to the workstation's or member server's event log—hence, the importance of auditing failed logons not only on the domain level but also on every workstation. This event-logging behavior exists because the workstation's or member server's security subsystem handles the logon process, passes the credentials to a DC for validation, and returns the response to the user.
Microsoft added event ID 644 (user account locked out) in NT 4.0 Service Pack 4 (SP4). This event lets NT record account lockouts on both the local workstation or member server and the DC. However, for this feature to work, the account must be locked out, meaning that the user must exceed the allowed number of failed logon attempts. For example, if you set the allowed number of failed logons to 4, a malicious user could still carry out a password guessing attack by trying to log on three times, waiting for the account lockout's "reset count" time period to expire, then trying three more times, and so on. Because the user never exceeds the lockout threshold, a lockout never occurs, and Windows never records event ID 644 on the DC. In other words, if you aren't checking the local workstation logs, you can't detect this type of attack. Note that to enable auditing of account lockouts, you must audit User and Group Management for success.
This scenario once more illustrates the need to collect event logs from multiple locations to perform advanced event analysis. Several third-party tools can help you do so. For an overview of some of these tools, see Randy Franklin Smith's Windows & .NET Magazine article "Archiving and Analyzing the NT Security Log," http://www.winnetmag.com, InstantDoc ID 9043.