Dear All,

I need your guidance for the following issue which I am facing.

I have 2 domain controllers to authenticate user login only. The account lockout policy set to lock accounts after 5 login attempts.

Logs are sent from the workstations (90 ) and the domain controllers (2) to RSA envision.

The parameters in the RSA Envision are 1) Windows - Account Locked Out 2) Windows - Failed Logons in AE Domain 3)Windows - Account Changes Details (Create , Delete , Modify)

Issue / Problem:

The reports generated from the RSA Envision for # 2 Windows - Failed Logons in AE Domain  has the following

1) Windows - Failed Logons in AE Domain ---Unsuccessful Login attempts----EventTime :9/2/2015 20:20 ; UserName : chandy ; Count of Messages : 18   
EventTime :9/2/2015 20:23 ; UserName : chandy ; Count of Messages : 11   
EventTime :9/2/2015 20:08 ; UserName : chandy ; Count of Messages : 11   
EventTime : 6/2/2015 21:11 ; UserName : ruby ; Count of Messages : 10   
EventTime :9/2/2015 20:07 ; UserName : chandy ; Count of Messages : 10   
EventTime : 10/2/2015 5:37 ; UserName : dadhi ; Count of Messages : 10   
EventTime :9/2/2015 20:15 ; UserName : chandy ; Count of Messages : 9   
EventTime : 10/2/2015 5:40 ; UserName : dadhi ; Count of Messages : 8   
EventTime :9/2/2015 10:54 ; UserName :roomi ; Count of Messages : 7

Seek your advice

1) what does count of messages mean?

2) If the count of messages is presumed to be failed login attempts they are not getting locked out

3) Is something wrong in the RSA Envision log server or the Domain controller

4) See this trend when a person changes password after expiry

Hi,

As we know, there are account lockout events logged on domain controller when someone is locked out, and also failed logon events are logged. But the event is not like what you post here. It seems like that RSA collect those information and formatted them to this view.

For your issue regarding to RSA Envision, it is suggested to post in the EMC RSA support forum.

https://community.emc.com/community/connect/rsaxchange/envision

If there is any misunderstanding, please feel free to let me know.

Regards,

Dear Yan,

Thank you for your reply. I continuation of my previous post, seek your advice for the following scenario with reference to Account Lockout.

User A:

Logs on at 13.00hrs- 13.02 but gives Invalid credentials 2 times.Unscuccessful. He dosent try logging into workstation after that.

User A again tries logging into the account at 13.06 - 13.08 hrs gives Invalid credentials 2 times. Unscuccessful. He dosent try logging into workstation after that.

User A again tries logging into the account at 13.10 - 13.14 hrs gives Invalid credentials 3 time.

The total number of failed logon attempts is 7 but the account is not getting locked out. The policy for account lockout is set at 5 logon attempts

User B: Tries to log in at 16.00 Hrs to 16.03 mins but gives invalid cresentials continuously 5 tmies ( Within 3 mins). The account was locked out.

Seek your advice as to whats wrong here and how to remediate it.

J

Hi,

Based on my research,  bad logon attempts to a workstation against a password-protected screen saver do not increase the lockout threshold. Similarly, if a server or workstation is locked using Ctrl+Alt+Delete, bad logon attempts against the Unlock dialog box do not count.

Reset account lockout threshold after setting determines how long the lockout threshold is maintained. You can check the policy setting see if it is very short. If a user logs on successfully, the threshold is reset.  If the waiting period for Reset account lockout threshold after has elapsed since the last bad logon attempt, the threshold is also reset.

Regards,

Yan Li

Hi Yan,

Thanks.

The scenario is that USER A is logging to the workstation and there are no screen saver password.

User B : when he gives invalid credentials continuously ( with no time gap ) for 5 times, UserB account is getting locked out ( the administrator has to release the lock ) the reset time period is set at 98765 mins. Whereas the UserA is not getting locked out even though he gives invalid credentials but with time gap of 2 mins to 5 mins between different attempts and there are no successful logins between these attempts.

Thanks

J

Hi,

I set my account lockout policy as below:

and I test it on one of my server, and the account got locked out after 5 times wrong password(3 times wrong password, then after 5 minites, 3 times wrong password)

You may create a new account and test it on both your server and client computer.

Regards,

Yan Li