Audit logon events&Logon type

表一、Logon type

表二、Audit logon events

表三、Logon type details


Logon type


Logon title


Description


2


Interactive


A user logged on to this computer.


3


Network


A user or computer logged on to this computer from the network.


4


Batch


Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.


5


Service


A service was started by the Service Control Manager.


7


Unlock


This workstation was unlocked.


8


NetworkCleartext


A user logged on to this computer from the network. The user‘s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).


9


NewCredentials


A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.


10


RemoteInteractive


A user logged on to this computer remotely using Terminal Services or Remote Desktop.


11


CachedInteractive


A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.


Logon Events


Description


528


A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.


529


Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.


530


Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.


531


Logon failure. A logon attempt was made using a disabled account.


532


Logon failure. A logon attempt was made using an expired account.


533


Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.


534


Logon failure. The user attempted to log on with a type that is not allowed.


535


Logon failure. The password for the specified account has expired.


536


Logon failure. The Net Logon service is not active.


537


Logon failure. The logon attempt failed for other reasons.

Note

  • In some cases, the reason for the logon failure may not be known.

538


The logoff process was completed for a user.


539


Logon failure. The account was locked out at the time the logon attempt was made.


540


A user successfully logged on to a network.


541


Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.


542


A data channel was terminated.


543


Main mode was terminated.

Note

  • This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.

544


Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.


545


Main mode authentication failed because of a Kerberos failure or a password that is not valid.


546


IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.


547


A failure occurred during an IKE handshake.


548


Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.


549


Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.


550


Notification message that could indicate a possible denial-of-service attack.


551


A user initiated the logoff process.


552


A user successfully logged on to a computer using explicit credentials while already logged on as a different user.


682


A user has reconnected to a disconnected terminal server session.


683


A user disconnected a terminal server session without logging off.

Note

  • This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

Logon Type 2:


Interactive. A user logged on to this computer.

An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account. However, if a user logs on with a domain account, this logon type will appear only when a user really authenticated in the domain (by a domain controller). In case if the DC not available, but the user provided valid domain credentials cached in the local PC, Windows will log an event with logon type = 11.


Logon type 3:


Network.  A user or computer logged on to this computer from the network.

The description of this logon type clearly states that the event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.). As we learned in the previous post, the connection with logon type = 3 could be established even from a local computer.


Logon type 4:


Batch.  Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

This event type appears when a scheduled task is about to be started. E.g. if you use Windows Task Scheduler and it’s time to start a task, Windows may create a new logon session to execute this task and register logon events (4648, 4624/4625). If a task is scheduled to run only when a “designated” user is logged on, a new logon session won’t be opened and logon events won’t be logged.


Logon type 5:


Service.  A service was started by the Service Control Manager.

When Windows starts a service which is configured to log on as a user, Windows will create a new logon session for this service. This happens only if the service uses a “common” user account. If it uses special accounts, e.g. “Local System”, “NT AUTHORITY\LocalService” or “NT AUTHORITY\NetworkService”, Windows won’t create new logon sessions. The opened logon session will be closed when the service stops and a logoff event (4634) will be registered.

Note that event description doesn’t contain any information about the service name, process information lists only name of the service control manager (services.exe).  When Audit Failure logon event (4625) is registered with logon type = 5, this commonly means that the “designated” user has changed password, and you should update service logon details.


Logon type 7:


Unlock. This workstation was unlocked.

An event with logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. Note that when a user unlocks computer, Windows creates a new logon session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634). When you are switching between logged on user accounts with Fast User Switching feature, you may think that such switching generates event 4624 with logon type = 7 because it looks like you lock and unlock workstation. However Windows generates events 4624 with logon type = 2 (interactive). When Audit Failure logon event (4625) is registered with logon type = 7, this commonly means that either you made a typo when entering the password, or someone is trying to break into the computer.


Logon type 8:


NetworkCleartext. A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).


I believe that you should never see logon events with logon type = 8. This event is generated when a password comes from the net as a clear text. Such events may occur when a user logs on IIS (Internet Information Services) with basic access authentication method. Transferring passwords in plaintext format is dangerous because the passwords could be sniffed and revealed. So if basic authentication is the only option for you, you should protect your network connection (using encryption protocols like SSL/TLS, creating virtual private network etc.).


Logon type 9:


NewCredentials. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

This event occurs when using RunAs command with /netonly option. Let’s say you need to run a program, but grant it extra permissions for network computers. E.g. you may want to run Event Log Explorer and give it additional permissions for a specific computer or a domain  (this may be helpful e.g. if you want to use a specific computer as a description server in Event Log Explorer, but your current permissions is not enough to access admin resources from this server). In this case you can run Event Log Explorer normally (using your current credentials), but specify special credentials for network connections. Let’s say your computer name is “WORK” and the description server name is “SERVER”. On WORK computer you type:

runas.exe /netonly /user:server\Administrator “c:\program files\event log explorer\elex.exe”

and provide administrator’s password when prompted.

This will run Event Log Explorer even if you provided a wrong password. This happens because it uses a cloned current credentials to run the program (a new logon session will be opened). And logon event 4624 will be logged with logon type = 9 (logoff event will be logged when you quit the application). But what about SERVER? The server will register 4624 or 4625 events in Security log with logon type = 3 but only when the application from WORK computer will try to access a shared resource on the server, e.g. Event Log Explorer will try to open resource file with event descriptions.


Logon type 10:


RemoteInteractive. A user logged on to this computer remotely using Terminal Services or Remote Desktop.

This logon type is similar to 2 (Interactive) but a user connects the computer from a remote machine via RDP (using Remote Desktop, Terminal Services or Remote Assistance).


Logon type 11:


CachedInteractive. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

When users logon a domain, Windows caches users’ credentials locally so that they can log on later even if a logon server (domain controller) is unavailable. By default Windows caches 10 or 25 last logon credentials (it depends on the operating system and can be increased up to 50). When a user attempts to logon with domain account while DC is not available, Windows checks the user’s credentials with these stored hashes and logs security events 4624 or 4625 with logon type = 11.

参考微软文档:<https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx>

参考博文:<http://eventlogxp.com/blog/logon-type-what-does-it-mean/>

时间: 2024-10-15 08:31:54

Audit logon events&Logon type的相关文章

Oracle account is locked or oracle user account logon denied

Following the below steps: Oracle account is locked 1. Type "Conn /as sysdba" in the sqlplus window; 2. Type "alter user AccountName unlocked. Try to logon again. Oracle user account logon denied 1. Type "Conn /as sysdba" in the s

Microsoft SQL Server Version List(SQL Server 版本)

原帖地址 What version of SQL Server do I have? This unofficial build chart lists all of the known Service Packs (SP), Cumulative Updates (CU), patches, hotfixes and other builds of MS SQL Server 2014, 2012, 2008 R2, 2008, 2005, 2000, 7.0, 6.5 and 6.0 tha

启用欢迎屏幕时记录了失败事件

启用欢迎屏幕时记录了失败事件  电子邮件  打印 针对 Windows XP 的支持已终止 Microsoft 已于 2014 年 4 月 8 日终止了针对 Windows XP 的支持.该更改已影响到您的软件更新和安全选项. 了解这一措施对于您的含义以及如何继续保持受保护状态. 症状 如果启用欢迎屏幕以及登录/注销和/或帐户登录成功与失败审核,计算机安全日志中就会添加成对的失败的登录/注销或失败的帐户登录审核以及成功的登录审核项. 记录的这些事件可能与以下事件类似: Event Type:

十三:Transparent Encryption in HDFS(转)

透明加密:http://blog.csdn.net/linlinv3/article/details/44963429 hadoop透明加密  kms 简介 Hadoop Key Management Server(KMS)是一个基于HadoopKeyProvider API编写的密钥管理服务器.他提供了一个client和一个server组件,client和server之间基于HTTP协议使用REST API通信.Client是一个KeyProvider的实现,使用KMS HTTP REST A

windows 网络命令大全

windows网络命令大全 Windows 2k/2003 Server 1.最基本,最常用的,测试物理网络的 ping 192.168.10.88 -t ,参数-t是等待用户去中断测试 2.查看DNS.IP.Mac等 A.Win98:winipcfg B.Win2000以上:Ipconfig/all C.NSLOOKUP:如查看河北的DNS C://>nslookup Default Server: ns.hesjptt.NET.cn Address: 202.99.160.68 >serv

request和request.form和request.querystring的区别

Request.Form是获取以POST方式提交的表单数据: Request.QueryString主要是获取地址栏参数或者以Get方式提交的数据 而Request则包含以上两种方式,会在Request.QueryString和Request.Form中都查询一遍变量.但是优先获取GET方式提交的数据,即Request.QueryString Request:包含以上两种方式(优先获取GET方式提交的数据),它会在QueryString.Form.ServerVariable中都搜寻一遍. 而且

MVC小系列(十二)【RenderAction和RenderPartial区别】

二者作用:RenderAction:渲染分部视图到页面上,要求提供Action和控制器名称RenderPartial:渲染分部视图到页面上,要求提供分部视图的名称,即路径,如果是在当前控制下或者shared下的页面,可以直接写名称即可 区别:RenderAction:通过控制器在aciton,即HttpGet特性RenderPartial:不通过控制器和aciton,即使有也不走这个,一般使用RenderPartial时,都是把数据写在页面上, 注意:如果有多个视图中的表单分别有提交动作,必须使

[J2EE]struts+ejb笔记

DispatchAtion: - org.apache.struts.actions.DispatchAction 这个类是个抽象类,但实现父类Action的execute方法,在项目中重写这个类可以专注于执行方法面不必自己实现execute方法 直接给一个例子: 1.继承DispatchAtion类,其包括一些方法,如checkUser().logon().logout()等,这些方法有一个共同的模板: public ActionForward XXXmethod( ActionMapping

samba.conf 范例

# Sample configuration file for the Samba suite for Debian GNU/Linux. # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurab