Networking / Beginners

Logon Events

Logon events are recorded when someone logs on to the system, regardless of the account used. In other words, if you log on to a domain member using a domain account, you get a logon event recorded on the domain member. You would also get a logon event recorded if you log on with a local account.

Account Logon Events

Account logon events are recorded when someone authenticates using an account defined on this system. In other words, if you log on to a domain member using a domain account, the account logon event gets recorded on the domain controller, not on the client. If you log on to the domain member using a local account, the account logon event gets recorded on the client.

One of the authors once was in a situation of doing forensics on a system that had been hacked by a student in his lab. The student had logged on to the machine, shut it down, set a boot and BIOS password, and changed the system clock. The student had then booted the system to ensure everything worked, logged on again, shut down the system, and then left. The logon events on the system itself were incorrectly ordered due to the system clock change. However, by correlating those events with the account logon events on the domain controller, we were able to determine conclusively both who had performed the attack and when. This information was enough to take action against the student. Thus, logon events can be very useful on clients. Other useful types of events include object access auditing. For any object access events to be recorded, however, you need to first configure system ACLs (SACLs) on objects, because none are configured by default.

We recommend configuring audit settings that are consistent with your security policy and audit needs.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools