3

This question does not take Windows Server 2003 and older OSes into consideration.

I know that for local logon (event ID 4624) also the logon type is logged (interactive, remote, etc.). Is there a way I can identify the logon type also with domain authentications by collecting only the domain controller logs? I.e., can events IDs such as 4771 and 4768 be generated by both a user authentication at his workstation (by the keyboard) and a user or a service authenticating over the network and if so, is there a way to know this from the log (4771 or 4768)? Or is the authentication over network always covered with the event ID 4769, thus leaving event IDs 4771 and 4768 only for local authentications?

treiman
  • 43
  • 1
  • 1
  • 5

1 Answers1

3

No, 4624s are not just for local workstation logons. They also occur on domain controllers. Same rules apply to both local logon and domain logon.

The trick is to look at the Logon Type listed in the event 4624. If the event says

Logon Type: 3

then you know that it was a network logon. These events occur on domain controllers when users (or computers) log on to the AD domain, so yes, collecting the domain controllers is what you want to do.

•2: Interactive logon — This is used for a logon at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen.

•3: Network logon — This logon occurs when you access remote file shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons that use the basic authentication protocol (those are logged as logon type 8).

•4: Batch logon — This is used for scheduled tasks. When the Windows Scheduler service starts a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created.

•5: Service logon — This is used for services and service accounts that log > on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.

•7: Unlock—This is used whenever you unlock your Windows machine.

•8: Network clear text logon—This is used when you log on over a network and the password is sent in clear text. This happens, for example, when you use basic authentication to authenticate to an IIS server.

•9: New credentials-based logon—This is used when you run an application using the RunAs command and specify the /netonly switch. When you start a program with RunAs using /netonly, the program starts in a new logon session that has the same local identity (this is the identity of the user you are currently logged on with), but uses different credentials (the ones specified in the runas command) for other network connections. Without /netonly, Windows runs the program on the local computer and on the network as the user specified in the runas command, and logs the logon event with type 2.

•10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.

•11: Cached Interactive logon—This is logged when users log on using cached credentials, which basically means that in the absence of a domain controller, you can still log on to your local machine using your domain credentials. Windows supports logon using cached credentials to ease the life of mobile users and users who are often disconnected.

Community
  • 1
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • So a user with a successful logon with a domain account will always generate a 4768 with Audit Success and a 4624 on the domain controller, thus making me want to focus on the 4624s to get the "final word" so to speak? – treiman Apr 15 '15 at 13:15
  • Yes, if you want to track who logged on to the domain, from where, when, using which security package (Kerberos vs. NTLM) and in what manner, all you need are the 4624s from the domain controllers. Keep in mind that if you have a lot of domain controllers, you need to either check all of them, or set up event forwarding so that all logon events go to a centralized location for easy searching. – Ryan Ries Apr 15 '15 at 13:19
  • Following up on your answer, would I also see a 4624 on the workstation but with a logon type 2 instead of a logon type 3? What about if I want to track users connecting to other computer with e.g. RDP; Would I see a 4678 or a 4679 on the domain controller and on top of that, would I then see a 4624 with logon type 3 on the domain controller and a 4624 with logon type 10 on the server to where the RDP session was established? I.e., if logon type is always 3 on the domain controller, is 4679 the way to differentiate between a RDP logon session and a local logon session? – treiman Apr 15 '15 at 14:55
  • A 4624 will simultaneously be generated on both the domain member and the domain controller. The Logon Type will be the same in both events. – Ryan Ries Apr 15 '15 at 15:50