As a sysadmin, I spend some time looking at logs. To someone who doesn't look at logs, the amount and type of information provided by logs can look like a foreign language. It helps me to have more information, a running legend in my head so to speak, about logs I sift through.
Windows keeps track of who logs into the computer, but I found out that it also keeps track of how a user logs on (or off). There are, at least, 9 different methods to logging into a computer:
- Logon Type 2 - Interactive
- Logon Type 3 - Network
- Logon Type 4 - Batch (or scheduled tasks)
- Logon Type 5 - Service
- Logon Type 7 - Unlock
- Logon Type 8 - NetworkCleartext
- Logon Type 9 - NewCredentials (or RunAs...)
- Logon Type 10 - RemoteInteractive (RDP, TS)
- Logon Type 11 - CachedInteractive
Given the date of the article (first link below) where this information originated for me, I'm betting that there are more types now for more granular logging.
Looking at logs help to troubleshoot problems, but it also helps to keep an eye out for malicious activity. Hopefully, understanding the different Windows Logon Types will help me keep the environments I manage that much more secure too.
Looking at logs help to troubleshoot problems, but it also helps to keep an eye out for malicious activity. Hopefully, understanding the different Windows Logon Types will help me keep the environments I manage that much more secure too.
For additional information on the above Logon Types, see this site:
Here's a more recent article on the different logon types:
http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/
Though I think the title of the article is misleading, there's some useful information on different logon/logoff events.
http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/
Though I think the title of the article is misleading, there's some useful information on different logon/logoff events.
No comments:
Post a Comment