logon and account logon audit events

[djc]

I just had a book tell me that Logon Events were users interactively logging
onto a computer or the domain (after hitting ctr+alt+del, for example) and
that Account Logon events were users connecting to remote machines for
resourse usage (connecting to a shared folder, for example)

isn't this backwards? isn't the opposite the truth?

 

[Steven L Umbach]

You are correct. Account logon events are recorded on the computer that
authenticates the user - domain controller for domain user and local
computer for local account. Logon events are recorded when a user accesses a
share or logs onto a domain computer. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx --
probably better source than your book.
http://www.amazon.com/exec/obidos/A...69239/sr=11-1/ref=sr_11_1/104-2211302-2359957
-- good book on Microsoft security.

 

[djc]

Hey Steven,
Thanks for the reply. Please see inline for a clarification questions. You
also replied to a different issue I had with regard to misinformation with
this same book. I don't know why I'm still reading it.

You are correct. Account logon events are recorded on the computer that
authenticates the user

(ok.. yep) - domain controller for domain user and local

computer for local account

(ok.. yep.. still with you). Logon events are recorded when a user accesses
a

share

(A: with you but with question; see below) or logs onto a domain computer
(B: this is where I need clarificaiton: what exactly do you mean by 'logs
onto a domain computer'?). --- Steve

A: where would this type be logged? in the security log of the system
running the server.exe service?
B: what constitutes logging on to a domain computer in this context? opening
up a mapped drive? navigating through network neighborhood to a server
share? using a UNC path to a server share? When I read your response I feel
like I'm with you all the way until this last part really, because 'logs
onto a domain computer' sounds like a ctr+alt+del interactive login to me.

I know, I'm hard headed... but I appreciated your help. I will read the
links you provided as well. Thanks.

 

[Steven L Umbach]

Assuming that the necessary events are enabled for auditing, when you logon
to a domain computer as a domain user an "account logon" event is recorded
in the security log on the domain controller that authenticated you and a
"logon" event is recorded in the security log of the domain computer you
logged onto.

If you map a share, or use Network Places to access a share on a domain
computer a "logon" event is recorded in the security log of the domain
computer itself. Few people seem to understand this correctly. --- Steve