auditing logons - someone please clear this #@#$! up.

D

djc

Well, in theory I understand the difference between logon/logoff and account
logon/logoff. I have read about it in books and have studied the subject
from practice test questions for MS certifications. I can honestly tell you
I can get every question right and still be completely confused when I look
at a security log!

account logons: these are 'domain accounts' and get logged on whatever DC
did the authentication. These occur when logging on interactively to a any
computer in the domain.

logons: these are local account logons and get logged on the the machine
where the logon took place, could be DC or any other server or workstation.
They occur when logging on interactively OR when connecting remotely via
resource share.

I am aware that during an interactive logon an account logon gets logged on
the DC, a logon gets logged on the DC (because scripts etc.. are accessed)
and a logon gets logged on whatever machine the interactive logon took
place.

just getting that out because when ANY question related to this gets asked
thats usually the answer you get whether thats what your asking or not.

based on what I read and stated above its very simple. The security logs
tell another story though.

1) I DO see account logon events logged on non-DC computers?

2) when taking the simple rules as layed out in books and test questions you
would think it would be easy to get an answer to the fundemental question
that is the purpose of this whole thing to begin with: A LOGON
SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE? Now I can handle the fact that
one interactive logon triggers 3 event log entries because that makes sense.
But I see WAY more than 3 entries triggered by what I can only assume was 1
real event. But I don't know.

what does Pre-authentication failed: ID 675 mean?
what does Authentication Ticket Request Failed: ID 676 mean?
what does Service Ticket Request Failed: ID 677 mean?

and there are several more! yes, I know, kerberos. I understand the kerberos
process. But I don't know how to look at a security log and answer the
simple question of A LOGON SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE?

anyone care to take a stab at explaining this? I am really frustrated at the
fact that I can get every test question related to this right but still am
not able to do anything usefull with it. I know I am making myself look bad
but thats where I'm at. Yep, I'm an MCSA 2000: Security! funny huh.
 
D

djc

apparently I still don't have it all straight. I blame the resources I've
used so far... they have all been incomplete at best, and often just wrong.
Anyway here is a site that, so far, IS good. I have not read all the
articles yet but the quick reference guide is very helpful, along with the
kerberos error code listings and explanation of the event IDs. I have found
very good and helpful info:

http://www.ultimatewindowssecurity.com/
 
S

Steven L Umbach

Probably the best short explanation I have heard is that "account logon"
events are recorded on the computer that authenticates the account while
"logon" events are created where the account is used. For in example in a
domain for a domain user "account logon" events will only be recorded on the
domain controller that authenticates the user while "logon" events will be
recorded on domain computers that the user uses. When a user logs onto a
domain computer interactively a type 2 "logon" event will be recorded in the
security log of the domain computer [assuming auditing of "logon" events is
enabled] and when a domain user access a share on a domain computer a type 3
"logon" events will record in the security log of the computer that has the
share even though the computer that has the share did not authenticate the
user - a domain controller did. When you see type 3 "logon" events in the
security log of a domain controller that is usually showing not that the
user logged onto the domain controller interactively but most likely is
because the user/computer accessed the sysvol share for Group Policy. The
free Windows 2003 Server Security Guide has an explanation of many common
Event ID's that you will see in the security and other logs. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
--- Kerberos error troubleshooting
 
D

djc

thanks Steven.

Steven L Umbach said:
Probably the best short explanation I have heard is that "account logon"
events are recorded on the computer that authenticates the account while
"logon" events are created where the account is used. For in example in a
domain for a domain user "account logon" events will only be recorded on the
domain controller that authenticates the user while "logon" events will be
recorded on domain computers that the user uses. When a user logs onto a
domain computer interactively a type 2 "logon" event will be recorded in the
security log of the domain computer [assuming auditing of "logon" events is
enabled] and when a domain user access a share on a domain computer a type 3
"logon" events will record in the security log of the computer that has the
share even though the computer that has the share did not authenticate the
user - a domain controller did. When you see type 3 "logon" events in the
security log of a domain controller that is usually showing not that the
user logged onto the domain controller interactively but most likely is
because the user/computer accessed the sysvol share for Group Policy. The
free Windows 2003 Server Security Guide has an explanation of many common
Event ID's that you will see in the security and other logs. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
--- Kerberos error troubleshooting

djc said:
apparently I still don't have it all straight. I blame the resources I've
used so far... they have all been incomplete at best, and often just
wrong.
Anyway here is a site that, so far, IS good. I have not read all the
articles yet but the quick reference guide is very helpful, along with the
kerberos error code listings and explanation of the event IDs. I have
found
very good and helpful info:

http://www.ultimatewindowssecurity.com/



logged
on questions
you was
1 at
the
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top