Browse Prior Art Database

Audit-Failed Logon Attempts by Undefined User Accounts

IP.com Disclosure Number: IPCOM000112626D
Original Publication Date: 1994-Jun-01
Included in the Prior Art Database: 2005-Mar-27
Document File: 2 page(s) / 38K

Publishing Venue

IBM

Related People

Lenharth, SA: AUTHOR [+2]

Abstract

Disclosed is a method for auditing unsuccessful logon attempts by undefined user accounts.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 76% of the total text.

Audit-Failed Logon Attempts by Undefined User Accounts

      Disclosed is a method for auditing unsuccessful logon attempts
by undefined user accounts.

      There is currently a security hole in some Network Operating
Systems.  The API for logging on to the network can be called
repeatedly by any user at a remote workstation until the account name
is determined.  The logon failures caused by undefined user accounts
are not audited.

      To solve this problem, the following code changes were made for
auditing logon failures caused by undefined user accounts:

      A new audit entry field was added to the existing "network
logon" record of the audit log file to keep track of logon attempts
by undefined user accounts.  The computername the request came from
and the userid for which a network logon was attempted are audited.

      During logon, the NetWkstaSetUID2 API needs to determine the
logon server that will validate the user being logged on.  The API
issues a broadcast message to the netlogon service running on the
domain controller, creates a mailslot, and waits to receive the logon
server name from the netlogon service.  The netlogon service calls
the API NetUserGetInfo to retrieve the logon server name from the
User Accounts Subsystem (UAS) database.  The netlogon service was
modified to log the new audit entry if the user account does not
exist in the UAS database.

      The NET AUDIT command was modified to display the new auditin...