SOP 28 Failed User logins DWS Batch NGA Program
- 1. WIPRO NGA Program – DWS Batch Capstone Project Presentation – 12 May 2024 www.rpsconsulting.in Presented by – Anjali Sharma Failed User logins: Investigating repeated failed user login attempts
- 2. Failed User logins: Investigating repeated failed user login attempts. 2024 - RPS Consulting all rights reserved 2 TITLE: Failed User logins: Investigating repeated failed user login attempts. PURPOSE: This SOP outlines the steps to be taken when investigating repeated failed user login attempts in order to maintain the security of the system or platform. SCOPE: This SOP is applicable for all the personnel who are authorized to manage servers in the window server environment.
- 3. PROCEDURE-: • Investigating user failure attempts using event viewer requires a systematic approach to identify potential security threats and take appropriate actions. •Step 1: You can use Event Viewer to see the logs and investigate events. •Open Event Viewer in Active Directory and navigate to Windows Logs>Security.
- 4. The pane in the center lists all the events that have been setup forauditing. You will have to go through events registered to look for failedlogon attempts. Once you find them, you can right click on the event and select Event Properties for more details. In the window that opens, you can find the IP address of the device from which the logon was attempted. •STEP 2: Identifying Root cause : Identify the source of the failed login attempts using available information from the alert. Check the IP address associated with the failed attempts for any signs of suspicious activity or known malicious behavior. Determine if there are any patterns in the login attempts, such as sequential usernames or common passwords. Resolution for forgotten password: • When user forgotten their password, follow these steps:- Login to the domain as an administrator.
- 5. Open to the server manager > navigate tools. In the tools> select Active Directory users and Computers.
- 6. •Step 2: In the domain (abc.local) Right click on the user account that requires reset password. Select reset password.
- 7. •Step 3: Set a new password for the user •Step 4: Confirm the password change and Click OK. •Step 5: Notify the user of the new password.
- 8. 3. Monitor Logs: Regularly monitor logs related to user login attempts across all relevant systems and platforms. Logs may include authentication logs, access logs, and event logs depending on the type of system. 4. Temporary Lockouts: If deemed necessary based on the investigation, implement temporary lockouts for the user account or IP address associated with the failed login attempts. Document the duration of the lockout and ensure it complies with security policies. 5. Enhanced Security Measures: Evaluate whether additional security measures such as multi- factor authentication (MFA) or password complexity requirements are needed to mitigate future risks. Implement any necessary changes to strengthen security controls. 6. User Notification: If a user account is affected by the investigation, notify the user about the failed login attempts and any temporary lockouts imposed on their account. Provide guidance on best practices for maintaining account security and offer assistance if needed.
- 9. 7. Documentation and Reporting: Document the details of the investigation, including findings, actions taken, and any recommendations for improving security. Generate reports summarizing the investigation results and submit them to relevant stakeholders, such as IT management or compliance teams. 8. Review and Continuous Improvement: Regularly review the effectiveness of the investigation process and make adjustments as necessary based on emerging threats and lessons learned. Continuously improve security measures to enhance the resilience of the system against unauthorized access attempts. VALIDATION: By the following sop the server administrator can be able to Investigate and repeated failed user login attempts.