... while studying in MS SPTK 70-290 ch 3 lesson 4: Securing and Troubleshooting Authentication ...
One of the confusing things about auditing in Windows is understanding the difference between "Logon Events" vs. "Account Logon Events" [SW2kSch9AaI].
Logon Events
- Logon Events are created when the session and token created or destroyed.
- Includes both users and computer events.
- When a user connects to a remote server a logon event is generated in the security log of the remote server.
Account Logon Events
- Account Logon Events are created when the authentication package validates a user's credentials.
- Includes both users and computer events.
- The authentication package could be Active Directory on a domain controller or the SAM on a member machine (computer) server or workstation.
This leaves me with the question of at what point is a Object Access event created?
SW2kSch9AaI = Securing Windows 2000 Server, ch 9 Auditing and Intrusion [http://technet.microsoft.com/en-us/library/cc751219.aspx]
1 comment:
Post a Comment