I am reviewing a set of AD security logs and the only 4624 logon types that I see are Type =3.
I know there are users logging in to their workstations during this period. Why would AD not record these events?
Would it be that the workstations are set up not log success?
Any insights would be appreciated.
I am reviewing a set of AD security logs and the only 4624 logon types that I see are Type =3.
I know there are users logging in to their workstations during this period. Why would AD not record these events?
Would it be that the workstations are set up not log success?
Any insights would be appreciated.
theredmoose - not sure from your post what you have researched already (via Google etc) but does this help for starters?
https://
Description Fields in 4625
Identifies the account that requested the logon - NOT the user who just attempted logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the system.
•Security ID
•Account Name
•Account Domain
•Logon ID
The section explains why the logon failed.
•Failure Reason textual explanation of logon failure.
•Status and Sub Status Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine
Forum
http//
I am reviewing a set of AD security logs and the only 4624 logon types that I see are Type =3.
Not sure what 'AD security logs' refers to. Do you mean DC logs? (PDC? BDC?) or do you refer to some other logs, like file server logs?
I know there are users logging in to their workstations during this period.
Are those workstations part of a domain? The same domain as those logs you're looking at? And what are the log policies on the system whose logs you are examining? If you don't know what logging is enabled or disabled, you can't in general interpret the absence of some particular log entries. Same thing if you don't know if there is a BDC or not.
Would it be that the workstations are set up not log success?
The server in question may be set up that way. Workstations may also log, but they log locally.
And then, of course, it may matter what system release you actually *are* looking at. I used to know the Windows 2003 and 2008 stuff, but I haven't really kept up with the latest developments in servers.
Any insights would be appreciated.
Only insight I have is that for a reasonable competence in Windows logs, the standard run-of-the-mill forensic training is not enough you should probably go for Windows training, sysadmin training. There's a lot in each log record that needs such knowledge for correct interpretation, not to mention the infrastructure in general.
The already mentioned site (Ultimate Windows Security) is extremely useful, but it does assume you already know the basics. The author used to sell a book that provided some of that material, and which I found very useful – particularly in explaining Microsoft terminology logon/logoff does not mean what most people think. The title was 'The Windows Server 2003 Security Log Revealed', but it seems it is only sold as part of those Resource Kits nowadays.
Thanks for the replies. My first post obviously was ambiguous let me clarify. I have been doing research and the best two sources I have found so far are
https://
https://
—————————
Goal To monitor when a domain admin performs a login on a workstation.
Environment Win2008R2 and Win7
I first assumed that a 4624 was logged to the PDC (or BDC) when a domain user logs into a workstation. (All I was seeing was logontype=3).
After another read I 'think' what happens is that the DC's log a kerberos authentication (4768) and the local machine logs a session logon (4624).
If the above statement is true then I should be able to filter the DC logs (from both PDC and BDC) for all 4768 and then filter that down by the domain admin accounts.
Is there any easier way to track domain admin logons?
If you have good sources for me to read more it would be most appreciated.
Thx
I am reviewing a set of AD security logs and the only 4624 logon types that I see are Type =3.
I know there are users logging in to their workstations during this period. Why would AD not record these events?
Would it be that the workstations are set up not log success?
Any insights would be appreciated.
What is the audit configuration on the domain controller?
Here is the auditpol results
System audit policy
Category/Subcategory Setting
System
Security System Extension Success
System Integrity Success
IPsec Driver Success
Other System Events Success
Security State Change Success
Logon/Logoff
Logon Success
Logoff Success
Account Lockout Success
IPsec Main Mode Success
IPsec Quick Mode Success
IPsec Extended Mode Success
Special Logon Success
Other Logon/Logoff Events Success
Network Policy Server Success
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change Success
MPSSVC Rule-Level Policy Change Success
Filtering Platform Policy Change Success
Other Policy Change Events Success
Account Management
User Account Management Success
Computer Account Management Success
Security Group Management Success
Distribution Group Management Success
Application Group Management Success
Other Account Management Events Success
DS Access
Directory Service Changes Success
Directory Service Replication Success
Detailed Directory Service Replication Success
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure