Tuesday, August 7, 2018

Windows - Account Logon and Logon/Logoff Security Log

An audit log is a document that records an event in an information system. And two areas of audit log in windows environment that often cause confusion are Account Logon and Logon/Logoff events.

Account Logon: It is an authentication event. Whenever you access your computer, you must first authenticate yourself (it can be in domain controller or your local computer) before the login session begins. You need to prove "you are who you say you are". After successful authentication you will obtain a login session.
Logon/Logoff: It is a login session event.

First Scenario
You login to a computer which is not connected to any domain.
In this case you use local user account (SAMAccount) and both the authentication and logon events occur in same computer. To check this you can see event ids 4776 (authentication event) and 4624 (logon event) in event viewer.

Second Scenario
Your computer is connected to the domain
Here you have two choice: use local account or domain account. If you use local account the case is same as above. If you use domain account then your computer cannot generate authentication event as authentication is being carried out in you domain controller (the reason for this is the password and hash are not stored locally when in domain connected network. Domain controller has this information). Your computer will now request domain controller for authentication. Kerberos authentication protocol is used for this purpose. Thus, event id 4776 (authentication event) is generated in Domain Controller. Domain Controller then tells your computer that the user is authentic and your computer will now proceed on to create a logon session (4624 event is now generated in your computer).

When you logoff event ids 4647 and 4634 are generated by your computer.

No comments:

Post a Comment

Windows - Remote Kernel Crash Vulnerability

This kernel crash vulnerability was discovered by FortGuard Lab .  This vulnerability is identified as CVE-2018-1040 . Windows 10, Wind...