表一、Logon type

表二、Audit logon events

表三、Logon type details

Logon type

Logon title

Description

2

Interactive

A user logged on to this computer.

3

Network

A user or computer logged on to this computer from the network.

4

Batch

Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5

Service

A service was started by the Service Control Manager.

7

Unlock

This workstation was unlocked.

8

NetworkCleartext

A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9

NewCredentials

A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Logon Events

Description

528

A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.

529

Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.

530

Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.

531

Logon failure. A logon attempt was made using a disabled account.

532

Logon failure. A logon attempt was made using an expired account.

533

Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.

534

Logon failure. The user attempted to log on with a type that is not allowed.

535

Logon failure. The password for the specified account has expired.

536

Logon failure. The Net Logon service is not active.

537

Logon failure. The logon attempt failed for other reasons.

Note

  • In some cases, the reason for the logon failure may not be known.

538

The logoff process was completed for a user.

539

Logon failure. The account was locked out at the time the logon attempt was made.

540

A user successfully logged on to a network.

541

Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.

542

A data channel was terminated.

543

Main mode was terminated.

Note

  • This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.

544

Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.

545

Main mode authentication failed because of a Kerberos failure or a password that is not valid.

546

IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.

547

A failure occurred during an IKE handshake.

548

Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.

549

Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.

550

Notification message that could indicate a possible denial-of-service attack.

551

A user initiated the logoff process.

552

A user successfully logged on to a computer using explicit credentials while already logged on as a different user.

682

A user has reconnected to a disconnected terminal server session.

683

A user disconnected a terminal server session without logging off.

Note

  • This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

Logon Type 2:

Interactive. A user logged on to this computer.

An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account. However, if a user logs on with a domain account, this logon type will appear only when a user really authenticated in the domain (by a domain controller). In case if the DC not available, but the user provided valid domain credentials cached in the local PC, Windows will log an event with logon type = 11.

Logon type 3:

Network.  A user or computer logged on to this computer from the network.

The description of this logon type clearly states that the event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.). As we learned in the previous post, the connection with logon type = 3 could be established even from a local computer.

Logon type 4:

Batch.  Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

This event type appears when a scheduled task is about to be started. E.g. if you use Windows Task Scheduler and it’s time to start a task, Windows may create a new logon session to execute this task and register logon events (4648, 4624/4625). If a task is scheduled to run only when a “designated” user is logged on, a new logon session won’t be opened and logon events won’t be logged.

Logon type 5:

Service.  A service was started by the Service Control Manager.

When Windows starts a service which is configured to log on as a user, Windows will create a new logon session for this service. This happens only if the service uses a “common” user account. If it uses special accounts, e.g. “Local System”, “NT AUTHORITY\LocalService” or “NT AUTHORITY\NetworkService”, Windows won’t create new logon sessions. The opened logon session will be closed when the service stops and a logoff event (4634) will be registered.

Note that event description doesn’t contain any information about the service name, process information lists only name of the service control manager (services.exe).  When Audit Failure logon event (4625) is registered with logon type = 5, this commonly means that the “designated” user has changed password, and you should update service logon details.

Logon type 7:

Unlock. This workstation was unlocked.

An event with logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. Note that when a user unlocks computer, Windows creates a new logon session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634). When you are switching between logged on user accounts with Fast User Switching feature, you may think that such switching generates event 4624 with logon type = 7 because it looks like you lock and unlock workstation. However Windows generates events 4624 with logon type = 2 (interactive). When Audit Failure logon event (4625) is registered with logon type = 7, this commonly means that either you made a typo when entering the password, or someone is trying to break into the computer.

Logon type 8:

NetworkCleartext. A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

I believe that you should never see logon events with logon type = 8. This event is generated when a password comes from the net as a clear text. Such events may occur when a user logs on IIS (Internet Information Services) with basic access authentication method. Transferring passwords in plaintext format is dangerous because the passwords could be sniffed and revealed. So if basic authentication is the only option for you, you should protect your network connection (using encryption protocols like SSL/TLS, creating virtual private network etc.).

Logon type 9:

NewCredentials. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

This event occurs when using RunAs command with /netonly option. Let’s say you need to run a program, but grant it extra permissions for network computers. E.g. you may want to run Event Log Explorer and give it additional permissions for a specific computer or a domain  (this may be helpful e.g. if you want to use a specific computer as a description server in Event Log Explorer, but your current permissions is not enough to access admin resources from this server). In this case you can run Event Log Explorer normally (using your current credentials), but specify special credentials for network connections. Let’s say your computer name is “WORK” and the description server name is “SERVER”. On WORK computer you type:

runas.exe /netonly /user:server\Administrator “c:\program files\event log explorer\elex.exe”

and provide administrator’s password when prompted.

This will run Event Log Explorer even if you provided a wrong password. This happens because it uses a cloned current credentials to run the program (a new logon session will be opened). And logon event 4624 will be logged with logon type = 9 (logoff event will be logged when you quit the application). But what about SERVER? The server will register 4624 or 4625 events in Security log with logon type = 3 but only when the application from WORK computer will try to access a shared resource on the server, e.g. Event Log Explorer will try to open resource file with event descriptions.

Logon type 10:

RemoteInteractive. A user logged on to this computer remotely using Terminal Services or Remote Desktop.

This logon type is similar to 2 (Interactive) but a user connects the computer from a remote machine via RDP (using Remote Desktop, Terminal Services or Remote Assistance).

Logon type 11:

CachedInteractive. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

When users logon a domain, Windows caches users’ credentials locally so that they can log on later even if a logon server (domain controller) is unavailable. By default Windows caches 10 or 25 last logon credentials (it depends on the operating system and can be increased up to 50). When a user attempts to logon with domain account while DC is not available, Windows checks the user’s credentials with these stored hashes and logs security events 4624 or 4625 with logon type = 11.

参考微软文档:<https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx>

Audit logon events&Logon type的更多相关文章

  1. jQuery1.9.1源码分析--Events模块

    var rformElems = /^(?:input|select|textarea)$/i, rkeyEvent = /^key/, rmouseEvent = /^(?:mouse|contex ...

  2. Streaming data from Oracle using Oracle GoldenGate and Kafka Connect

    This is a guest blog from Robin Moffatt. Robin Moffatt is Head of R&D (Europe) at Rittman Mead, ...

  3. Microsoft SQL Server Version List [sqlserver 7.0-------sql server 2016]

    http://sqlserverbuilds.blogspot.jp/   What version of SQL Server do I have? This unofficial build ch ...

  4. Microsoft SQL Server Version List(SQL Server 版本)

    原帖地址 What version of SQL Server do I have? This unofficial build chart lists all of the known Servic ...

  5. SqlServer 版本号

    RTM (no SP) SP1 SP2 SP3 SP4 SQL Server 2014      codename Hekaton  12.00.2000.8 SQL Server 2012      ...

  6. 【方法】如何限定IP访问Oracle数据库

    [方法]如何限定IP访问Oracle数据库 1.1  BLOG文档结构图 1.2  前言部分 1.2.1  导读和注意事项 各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知 ...

  7. 用sc命令查询系统状态

    用sc命令查询系统状态 sc query 语法 sc query                - Enumerates status for active services & driver ...

  8. 10招步骤保护IIS服务器安全

    问题 IIS(Internet Information Server)是黑客特别喜欢的目标.因此,对于管理IIS网页服务器的管理员来说,确保服务器安全是一件至关重要的事.IIS 4.0和IIS 5.0 ...

  9. 如何检测Windows中的横向渗透攻击

    一.前言 横向渗透攻击技术是复杂网络攻击中广泛使用的一种技术,特别是在高级持续威胁(Advanced Persistent Threats,APT)中更加热衷于使用这种攻击方法.攻击者可以利用这些技术 ...

随机推荐

  1. intellij idea中修改代码生成的模板

    File -- Settings -- Editor -- Code Style -- File and Code Templates 主要是修改了注释 /** * ${DESCRIPTION} * ...

  2. unity, Destroy注意事项

    Destroy不是立即发生作用,而是推迟到帧末,所以下面代码是错误的: void OnTriggerEnter(Collider other){   if (other.gameObject.tag  ...

  3. SS不能在Win7中打开,出现停止运行

    一次,在Win7上不能打开SS,经过搜索,好像SS的win客户端使用.net frame4.6.2开发,但是Win7根本安装不了该版本的.net,所以...,重新安装Win10.

  4. Atiti. Php Laravel 5.1 环境搭建以及  error 排除

    Atiti. Php Laravel 5.1 环境搭建以及  error 排除 1. php_5.6.11_apache2.41 1.1. Httpd.Conf增加以下配置,添加php支持1 1.2. ...

  5. Source Insight 项目简单使用说明

    SI(Source Insight) 是我一直写代码的好伙伴, 相信这强大的软件也是广大程序猿编写软件的利器. 正所谓" 工欲善其事, 必先利其器", 我们要学会利用这款软件. 先 ...

  6. 新标准C++程序设计读书笔记_继承和多态

    简单继承的例子: #include <iostream> #include <string> using namespace std; class CStudent { pri ...

  7. 新标准C++程序设计读书笔记_类和对象

    面向对象的程序设计方法 抽象:将某类客观事物共同特点(属性)归纳出来,形成一个数据结构(可以用多个变量描述事物的属性):将这类事物所能进行的行为也归纳出来,形成一个个函数,这些函数可以用来操作数据结构 ...

  8. iOS开发之使用XMPPFramework实现即时通信

    iOS开发之使用XMPPFramework实现即时通信   关于XMPP的理论介绍在本篇博客中就不做赘述了,如何在我们之前的微信中加入XMPP协议来实现通信呢?下面将会介绍一下XMPP的基本的知识,让 ...

  9. [NM 状态机1] Application状态机详解

    概述 前面已经分析了RM的状态机,接下来将分析NM的状态机,NM状态机包括Container,Application,LocalizedResource三个.首先我们分析Application的状态机 ...

  10. 【未完成】junit简单使用

    参考资料: 一般使用:https://www.w3cschool.cn/junit/ 集成spring: https://www.cnblogs.com/faramita2016/p/7637086. ...