设为首页 收藏本站
查看: 995|回复: 0

Windows 2008登录日志说明

[复制链接]

尚未签到

发表于 2015-4-30 12:00:03 | 显示全部楼层 |阅读模式
来源:http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624#fields
4624: An account was successfully logged on

  

  • Description of this event
  • Field level details
  • Examples
  • Discuss this event
  This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
  

Description Fields in 4624 Subject:
  Identifies the account that requested the logon - NOT the user who just logged on.  Subject is usually Null or one of the Service principals and not usually useful information.  See New Logon for who just logged on to the sytem.
Logon Type:
  This is a valuable piece of information as it tells you HOW the user just logged on:

Logon TypeDescription
2Interactive (logon at keyboard and screen of system)
3Network (i.e. connection to shared folder on this computer from elsewhere on network)
4Batch (i.e. scheduled task)
5Service (Service startup)
7Unlock (i.e. unnattended workstation with password protected screen saver)
8NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
9NewCredentials such as with RunAs or mapping a network drive with alternate credentials.  This logon type does not seem to show up in any events.  If you want to track users attempting to logon with alternate credentials see 4648.
10RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
New Logon:
  The user who just logged on is identified by the Account Name and Account Domain.  You can determine whether the account is local or domain by comparing the Account Domain to the computer name.  If they match, the account is a local account on that system, otherwise a domain account. Security ID: the SID of the accountAccount Name: Logon name of the accountAccoutn Domain: Domain name of the account (pre-Win2k domain name)Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated.  Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634.Logon GUID: Supposedly you should be able to correlate logon events on this computer with corresonding authentication events on the domain controller using this GUID.  Such as linking 4624 on the member computer to 4769 on the DC.  But the GUIDs do not match between logon events on member computers and the authentication events on the domain controller.
Process Information:
  The Process Name identifies the program executable that processed the logon.  This is one of the trusted logon processes identified by 4611. Process ID is the process ID specified when the executable started as logged in 4688.
Network Information:
  This section identifies WHERE the user was when he logged on.  Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers. Workstation Name: is the computer name of the computer where the user is physically present in most cases unless this logon was intitiated by a server application acting on behalf of the user.  Workstation may also not be filled in for some Kerberos logons since the Kerberos protocol doesn't really care about the computer account in the case of user logons and therefore lacks any field for carrying workstation name in the ticket request message.Source Network Address is the IP address of the computer where the user is physically present in most cases unless this logon was intitiated by a server application acting on behalf of the user.  If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address.  This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out."Source Port identifies the source TCP port of the logon request which seems useless since with most protocols source ports are random.
Detailed Authentication Information:

  • Logon Process (see 4611)
  • CredPro indicates a logon initiated by User Account Control
  • Authentication Package (see 4610 or 4622)
  • Transited Services - This has to do with server applications that need to accept some other type of authentication from the client and then transition to Kerberos for accessing other resources on behalf of the client.  See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
  • Package name - If this logon was authenticated via the NTLM protocol (instead of Kerberos for instance) this field tells you which version of NTLM was used.  See security option "Network security: LAN Manager authentication level"
  • Key Length - Length of key protecting the "secure channel".  See security option "Domain Member: Require strong (Windows 2000 or later) session key".  If value is 0 this would indicate security option "Domain Member: Digitally encrypt secure channel data (when possible)" failed.
  Top 10 Events to Monitor

Examples of 4624   An account was successfully logged on.
  Subject:
   Security ID:  SYSTEM
   Account Name:  WIN-R9H529RIO4Y$
   Account Domain:  WORKGROUP
   Logon ID:  0x3e7
Logon Type:10
New Logon:
      Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x19f4c
   Logon GUID:  {00000000-0000-0000-0000-000000000000}
Process Information:
   Process ID:  0x4c0
   Process Name:  C:\Windows\System32\winlogon.exe
Network Information:
     Workstation Name: WIN-R9H529RIO4Y
   Source Network Address: 10.42.42.211
   Source Port:  1181
Detailed Authentication Information:
     Logon Process:  User32
   Authentication Package: Negotiate
   Transited Services: -
   Package Name (NTLM only): -
   Key Length:  0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.

  The authentication information fields provide detailed information about this specific logon request.

  • Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
  • Transited services indicate which intermediate services have participated in this logon request.
  • Package name indicates which sub-protocol was used among the NTLM protocols.
  • Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-62255-1-1.html 上篇帖子: Windows Server 2008 hang up问题 下篇帖子: NetAdvantage for Windows Forms 2008 Vol. 2
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

扫码加入运维网微信交流群X

扫码加入运维网微信交流群

扫描二维码加入运维网微信交流群,最新一手资源尽在官方微信交流群!快快加入我们吧...

扫描微信二维码查看详情

客服E-mail:kefu@iyunv.com 客服QQ:1061981298


QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群


提醒:禁止发布任何违反国家法律、法规的言论与图片等内容;本站内容均来自个人观点与网络等信息,非本站认同之观点.


本站大部分资源是网友从网上搜集分享而来,其版权均归原作者及其网站所有,我们尊重他人的合法权益,如有内容侵犯您的合法权益,请及时与我们联系进行核实删除!



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表