-
8/3/2019 Webinar 72 Slides
1/10
2009 Monterey Technology Group Inc.
What is the Difference Between
Account Logon and
Logon/Logoff Events?
2009 Monterey Technology Group Inc.
Commissioned
by:
Ultimate
Windows
Security.com
Brought to you by
2009 MontereyTechnology Group Inc.
Speaker Isaac Thompson
Director of Engineering and Training
-
8/3/2019 Webinar 72 Slides
2/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Preview of key points
Authentication vs. Logon
.
Understanding
Account Logon Events
Logon/Logoff Events
Which should ou use?
Ultimate
Windows
Security.com Logons
2 kinds of accounts
Local computer SAM
AD domain accounts
2004-2006 MontereyTechnology Group Inc.
4
-
8/3/2019 Webinar 72 Slides
3/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Logons
2 kinds of logons
Interactive
Network (aka remote)
Credentials enteredonce
But separate logon foreach computer accessed
Drivemapping
Networklogon
2004-2006 MontereyTechnology Group Inc.
5
credentials for each
computer accessed
Ultimate
Windows
Security.com Specifying local or domain logons
Domain
LocalSAM
2004-2006 MontereyTechnology Group Inc.
6
-
8/3/2019 Webinar 72 Slides
4/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Specifying local or domain logons
2004-2006 MontereyTechnology Group Inc.
7
[computer or domain name\]username
Ultimate
Windows
Security.com Logon vs. Authentication
Separate and distinct
computer where the account gains access toobjects and can run
programs
Authentication
Computer that checks the accounts credentials
2004-2006 MontereyTechnology Group Inc.
8
-
8/3/2019 Webinar 72 Slides
5/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Logon vs. Authentication
Same computer for both
logging on with local SAM account
User is logging on to domain controller itself
Different computers
User logging onto workstation or member
2004-2006 MontereyTechnology Group Inc.
9
server w t oma n account
Ultimate
Windows
Security.com 2 Audit policy/security log categories
2004-2006 MontereyTechnology Group Inc.
10
Authentication events
-
8/3/2019 Webinar 72 Slides
6/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com 2 Audit policy/security log categories
Authentication vs. LogonsLogon/logoff events Logged whenever an
account logs onto the
computer Interactively, network, batch, service, terminals
services
Account logon events Lo ed onl when local com uter
2004-2006 MontereyTechnology Group Inc.
11
authenticates
Domain controllers - all domain account logons Member servers
and workstations only localSAM accounts
Ultimate
Windows
Security.com Tracking authentication activity
Domain accounts
Each domain controller Enable Audit account
lo on events audit
Local accounts
Each workstation andserver
policy
Monitor security log forAccount Logon
category
2004-2006 MontereyTechnology Group Inc.
12
-
8/3/2019 Webinar 72 Slides
7/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com User logs on with a domain account
Logon/logoff
events logged
Logon/logoff
events logged
Account Logon
events logged
2004-2006 MontereyTechnology Group Inc.
13
Ultimate
Windows
Security.com User logs on with local SAM accounts
Logon/logoff
& Account Logon
events logged
Logon/logoff
2004-2006 MontereyTechnology Group Inc.
14
& Account Logon
events logged
-
8/3/2019 Webinar 72 Slides
8/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Interesting point
Logon/Logoff category on domaincontroller does not lo failed lo
onsoccurring on workstations or memberservers even though user is a
domainaccount
2009 MontereyTechnology Group Inc.
Ultimate
Windows
Security.com Bottom Line
Which should you use? Domain Controllers
Enable Account Logon for success and failure toprovide complete
audit trail of allDomain account authentication activity
Computers accessed by each domain account
What about Logon/Logoff on domain controllers? Provides better
audit trail of remote desktop and console
Generates lots of worthless network logon/logoff eventsevery
time each computer applies group policy
Consider enabling only for failed events to identityattempts to
break into DC itself
-
8/3/2019 Webinar 72 Slides
9/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Bottom Line
Which should you use?
Enable Logon/Logoff for complete audit trail ofevery attempt to
access that computer whether bya local or domain
What about Logon/Logoff on domain controllers?
Provides better audit trail of remote desktop and console
Generates lots of worthless network logon/logoff events
every time each computer applies group policy
Ultimate
Windows
Security.com
Brought to you by
2009 MontereyTechnology Group Inc.
Speaker Isaac Thompson
Director of Engineering and Training
-
8/3/2019 Webinar 72 Slides
10/10
2009 Monterey Technology Group Inc.
Ultimate
Windows
Security.com Want to Learn More?
EventTracker [email protected]
Windows SecurityLog
www.prismmicrosys.com/ Attend Security Log Secrets
training Los Angeles
January 2010
www.ultimatewindowssecurity.
com/redir.aspx?name=sls2010
Get the Windows Security Log
Resource Kit
..com/grok
2009 Monterey Technology Group Inc.
