2008-09-01

Auditing Logon Events

... while studying in MS SPTK 70-290 ch 3 lesson 4: Securing and Troubleshooting Authentication ...


One of the confusing things about auditing in Windows is understanding the difference between "Logon Events" vs. "Account Logon Events" [SW2kSch9AaI].


Logon Events


  • Logon Events are created when the session and token created or destroyed.

  • Includes both users and computer events.

  • When a user connects to a remote server a logon event is generated in the security log of the remote server.


Account Logon Events


  • Account Logon Events are created when the authentication package validates a user's credentials.
  • Includes both users and computer events.
  • The authentication package could be Active Directory on a domain controller or the SAM on a member machine (computer) server or workstation.


This leaves me with the question of at what point is a Object Access event created?


SW2kSch9AaI = Securing Windows 2000 Server, ch 9 Auditing and Intrusion [http://technet.microsoft.com/en-us/library/cc751219.aspx]

2 comments:

Jhon Drake said...
This comment has been removed by the author.
james marsh said...

Thanks, it's very helpful information regarding to audit log event. I also found great information from https://www.netwrix.com/event_log_management.html which provides the process of audit Active Directory logon event generated on a computer in the network.