Audit Logon Events vs. Audit Account Logon Events

H

HG

In a recent Windows 2K Svr checklist from Microsoft I noticed that Microsoft
recomends the admin to do a Sucess and Failure in "Audit Account Logon
Events" only.

see http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx

Enable Security Event Auditing>Microsoft recommends enabling only Success
and Failure auditing for the Audit account logon events policy.

What's the difference between "Audit Account Logon Events" vs. "Audit Logon
Events"?

Thanks,

GX
 
S

Steven Umbach

All messages from thread
Message 1 in thread
From: Steven L Umbach ([email protected])
Subject: Re: Logon vs Acct logon auditing


View this article only
Newsgroups: microsoft.public.win2000.security
Date: 2004-03-18 12:10:51 PST


This a copy of a reply I made a short time back. I think it depends if the
server or the domain controller will be authenticating the users. ---
SteveThere is a subtle, but important to know, difference when it comes to
trying
to track down account lockouts or hack attempts. Account logon events are
used to record when a user logs onto a computer. The event is recorded on
the computer that authenticated the user - the actual computer [local sam]
if logging onto a local machine account or the domain controller that
validated a domain user logging into the domain. An account logon event will
not be recorded on the domain computer where a domain user logs onto the
domain but a logon event could be. Logon events are recorded where a user
uses their credentials such as accessing a domain file server in which case
a type 3 netwok logon would be recorded in the security log of the file
server showing the name and computer used by the domain user. See the links
below for more info including how to interpret the Event ID's. --- Steve
[bored at work]

http://www.microsoft.com/resources/...dowsServ/2003/standard/proddocs/en-us/515.asp
http://tinyurl.com/2zg73 -- shorter in case of wrap.

http://www.microsoft.com/resources/...dowsServ/2003/standard/proddocs/en-us/518.asp
http://tinyurl.com/34osj -- shorter link in case of wrap.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Audit Account Logon Events 3
Audit Logon (success an failure) 1
audit logon 2
SecPol Audit Policy: Diff between "Audit account logon events" and "Audit logon events" ? 2
Audit Policy 4
Auditing Logon Events 2
Tracking logon and logoff activity 1
Where this Audit Polciy comming from? 4

Top