Audit User Logon and Logoff
What?
- We are Trying to get a list of users who Logged on/off/failed.
Why?
Now.. Why do we need this data ?
- Audit to start with.
- While on a Service Restoration call of an outage, to determine if any one logged in and made any changes to the system, which will pave path to remove other variables which involves guess work on “is there any one logged and made any changes?” from the troubleshooting and focus on important stuff.
- While planning on a migration, probably we found that there is this legacy server that we don’t have full detail on who owns it in the enterprise.. and before we decommission or schedule a migration, we need to definitely get to know who is using it.
How?
There is plethora of information in Windows Security Events and to successfully get a report or understanding, there are couple of things that needs to be understood. Main importantly
- Event IDs (pre/post) Vista/2008 [Which informs you the Base event i.e either a Logon. Logoff, or so on]
- Logon Types [Defines the actual type of activity that has been associated with that Logon Event ID]
EventIDs
All events are found in the Security event log.
- While dealing with pre-Vista OS, look for events that are 5xx with the Event Source ‘Security”
- 512 – STARTUP
- 513 – SHUTDOWN
- 528 – LOGON
- 538 – LOGOFF
- 551 – BEGIN_LOGOFF
- Post Vista/Windows 2008, look for events that are 4xxx and here the Event Source would be ‘Microsoft Windows security”
- 4608 – STARTUP
- 4609 – SHUTDOWN
- 4624 – LOGON
- 4634 – LOGOFF
- 4647 – BEGIN_LOGOFF
- 4778 – SESSION_RECONNECTED
- 4779 – SESSION_DISCONNECTED
- 4800 – WORKSTATION_LOCKED
- 4801 – WORKSTATION_UNLOCKED
- 4802 – SCREENSAVER_INVOKED
- 4803 – SCREENSAVER_DISMISSED
Logon Types:
- Type 0 = System Only
- Used only by the System account.
- Type 2 = Interactive Logon
- You’ll see type 2 logons when a user attempts to log on using local keyboard and monitor either with a domain account or a server local account. Its important to note that the logon’s through a KVM over IP , DRAC, ILO kind of technologies will also log the events as interactive logons.
- When you use the RunAs without /netonly switch, this type is registered.
- Type 3 = Network
- When the server is accessed over a network, a Type 3 is logged. Commonly accessing shared folders, printers,IIS fall into this category.
- Type 4 = Batch
- Windows Task scheduler will create a new session with this event before it starts to execute a Job with that Logon Session. Apart from Windows Task scheduler, a 3rd party application that wants to run a task in the background can start using this type.
- Type 5 = Service
- While starting a Service, Windows will first create a logon session with this event ID and will initiate the service using the same.
- Type 6 = Proxy
- Indicates a proxy-type logon.
- Type 7 = Unlock
- Like the description says, when a user unlocks the computer, this type of even it registered.
- Type 8 = Network Clear Text
- If a password was sent as a clear text, this type of event is registered. Its important to note that windows will not allow access to Printers or Files when you send the password in a clear text. So leaving this to ASP logins using ADVAPI or which uses IIS basic authentication mode.
- Type 9 = New Credentials
- If a RunAs command with /netonly switch or ran the program using the RunAs, this type of even is registered.
- Type 10 = Remote Interactive
- All connections with Terminal Services, Remote Desktop or Remote Assistance, this type of change is registered.
- Type 11 = Cached Interactive
- When a cached logon is used to login to the server, this event is logged.
- Windows will store the has of last 10 logons and you can use these to connect when there is no DC/ connection to a DC is present.
- Type 12 = Cached Remote Interactive
- These are the events that are logged when the system authenticates you with a cached logons while using RDP (Type 10 type requests)
- Type 13 = Cached Unlock
Gotchas & Additional Info:
