Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
For ___domain accounts, the ___domain controller is authoritative.
For local accounts, the local computer is authoritative.
Event volume:
High on ___domain controllers.
Low on member servers and workstations.
Because ___domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a ___domain environment occur on the ___domain controllers that are authoritative for the ___domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for ___domain accounts, NTLM authentication in the ___domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on ___domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for ___domain controllers, because this subcategory will generate events when an authentication attempt is made using any ___domain account and NTLM authentication. IF – We recommend Success auditing to keep track of ___domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative. We recommend Failure auditing, to collect information about failed authentication attempts using ___domain accounts and the NTLM authentication protocol. |
| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often. We recommend Success auditing, to keep track of authentication events by local accounts. We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often. We recommend Success auditing, to keep track of authentication events by local accounts. We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
Events List: