UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 4624 - An account was successfully logged on / Tracking interactive logons / Latest Posts

RE: Tracking interactive logons

RandyFranklinSmith — Mon, 14 Nov 2011 08:31:41 GMT

yes

RE: Tracking interactive logons

mpanico — Fri, 07 Oct 2011 18:36:41 GMT

Randy,

Am I right in inferring from your earlier comments on this thread, that one should see NO type 2 logons on the DC unless they are someone logging in interactively onto the DC itself?

Thanks..

RE: Tracking interactive logons

RandyFranklinSmith — Tue, 04 May 2010 19:19:37 GMT

there's no definite way to do that because the DC doesn't know what kind of logon is taking place at the computer. In Windows logon and authentication are related but not the same thing. Authentication is done by and logged at the DC, while the logon takes place and is logged at the computer being access.

That being said, there is a pattern of events you can look for at the DC from which you can pretty dependably "infer" that an interactive logon took place.

672 - identifies the user and "client address" bears the IP address of user's workstation

673 - "service name" = workstation name, so should client IP address

673 - "service name" = name of the DC, client IP matches user's workstation IP

673 - "service name" = krbtgt, client IP matches user's workstation IP

sequence not guaranteed but all 4 events will be very close in time < 2 seconds should be good

this particular pattern of 4 events indicates an interactive logon because

you always have to get a Authentication Ticket (672) and a service ticket (673) to krbtgt. to logon to any computer you have to get a service ticket to the computer (673) but if it is an interactive logon you have to also get a service ticket to the DC for the workstation to read group policy under your credentials.

RE: Tracking interactive logons

mns — Fri, 30 Apr 2010 12:17:48 GMT

For domain-joined workstations, we are trying to identify interactive domain logon failures. How would you identify in the logs on the DC, domain interactive logon failures?

RE: Tracking interactive logons

mns — Fri, 16 Apr 2010 11:32:33 GMT

Yes, I know. I am looking at the DC logs and do not see them.
Or do you mean that when a user on a workstation tries to login and mistypes their password, the workstation will not generate the 4771/4772 events?
Is there a way, by looking that the DC logs and kerberos related events, to tell which user did not authenticate properly and fail to login from a workstation?

RE: Tracking interactive logons

RandyFranklinSmith — Fri, 16 Apr 2010 09:26:27 GMT

You will only get these events from domain controllers

RE: Tracking interactive logons

mns — Thu, 15 Apr 2010 17:45:57 GMT

I also need to get the failed attempts with username, date, time, IP address,etc.
As I understand it from your site and screencast, this should be event IDs 4771 and/or 4772. However, I see none of these in my logs.
If there an audit setting I need to enable to get these to show up?

RE: Tracking interactive logons

mns — Fri, 09 Apr 2010 11:42:34 GMT

Perfect! That is exactly what I was looking for.

RE: Tracking interactive logons

RandyFranklinSmith — Mon, 05 Apr 2010 11:50:15 GMT

By "when a machine logged onto the network" I take you to mean when a Windows workstation or server booted up and access AD for application of Group Policy and other AD services - right? Not when a user logged in to that computer.

For that scenario you need to use the Account Logon category, Kerberos Authentication Service subcategory, event ID 4768 where "Account Name:" is a computer name. You can identify computer names because they end in a dollar sign. Client address will give you the computer's IP

RE: Tracking interactive logons

mns — Fri, 02 Apr 2010 12:25:37 GMT

As a follow-up question on what I believe to be the same event id, how do I determine when a machine logged on to the network? I would like to gather a list of the computers and their IP addresses from these kerberos logs. This should be possible if I could understand the logs correctly.

RE: Tracking interactive logons

RandyFranklinSmith — Tue, 16 Mar 2010 21:06:59 GMT

Interesting. Perhaps the pattern has changed on Win2008.

Your generalization will not work because the pattern you described would also fit logons to applications like Exchange and Sharepoint. You need to see the authentication ticket (TGT/4768) event followed by a service ticket (4769) for the DC and then another for the computer. Without the 4769 for the DC you are dealing with a direct logon to an application like Exchange. The 4769 for the DC is triggered because the workstation has to look up group policy on behalf of the user which tells you it is an interactive logon.

For most events there's no good way to just look at the event and determine if it's a DC or not. Of course these Kerberos events are only logged on DCs.

RE: Tracking interactive logons

mns — Tue, 16 Mar 2010 17:54:34 GMT

Just to clarify, I do see 4769 events but I do not see 3 of them. Normally I see 2 of them, one for the workstation and one for the DC. I do not see the matching 4769 krbtgt service name event.

Is it safe to say that if a 4769 event for krbtgt service name follows a 4768 request from a non-computer account (no $ on end) then it is an interactive logon?

If I were to generalize this for multiple domains, I am presuming that there is no way, from the logs, to know what is a DC, what is a File Server, what is an Exchange server, etc. without knowing these names ahead of time. Is that right?

RE: Tracking interactive logons

RandyFranklinSmith — Mon, 15 Mar 2010 15:01:27 GMT

It sounds like you don't have the Kerver Service Ticket Operations sub-category turned on. You'll need to use the auditpol command to turn this on on each DC unless you have Win2008 R2 domain controllers which provide a new folder in group policy for configuring audit subcategories.

RE: Tracking interactive logons

mns — Mon, 15 Mar 2010 12:16:04 GMT

I am seeing 4768 events but am not seeing the following 3 4769 events per your webcast "Understanding Authentication Events in the Windows 2003 and 2008 Security Logs".

Is there additional auditing that needs to be enabled in order to save this or is this on by default in Windows 2008?

RE: Tracking interactive logons

RandyFranklinSmith — Thu, 11 Mar 2010 07:38:22 GMT

Interactive logons (event ID 4624/528 with logon type 2) are recorded on the workstation where the user logs on - not on the domain controller. So you either collect all your workstation logs or try to correlate the Kerberos event pattern to which you refer. Neither way is optimal I realize but that's all there is unless you buy 3rd party software.

Tracking interactive logons

mns — Wed, 10 Mar 2010 17:47:43 GMT

I am trying to track interactive logons and am looking for the right mix. I did not really see that many of these log entries in the Windows 2008 DC that I have been looking through. Watched your webinar about the kerberos events and that looks promising but takes multiple events to process a logon. Not very easy with syslog parsing. What is the best way to go about determining the interactive logons in a Windows 2008 domain? Is it 4624? or is it 4768+4769?

Thanks,
Ed