528 and audit settings Expand / Collapse
Author
Message
Posted 6/22/2009 9:10:09 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/22/2009 8:32:25 AM
Posts: 1, Visits: 0
What audit settings on the DC control whether 528 records are recorded?

Our system is flooded with 540 events, but the only 528 events seem to be when an ADMIN logs on to the DC directly. 

We want to trap workstation logon events only.  

Are the audit settings that will accomplish this as well as retaining the other AD events recommended on your website?

Thanks,

John 

Post #113
Posted 6/22/2009 9:54:54 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
540 and 528 are both part of Logon/Logoff events which only track logons to the local computer itself.  When you see a 540 on a Domain Controller it means some user or other computer on the network accessed a resource on the DC such as a file or LDAP query - these events are normal and happen all the time.  528s track all other logons such as to the local console, etc.  Please carefully read the difference between these 2 events in my free Security Log Encyclopedia on this site.

To really track logons to workstations you have to either:

  1. collect workstation logs and look for event ID 528s where logon type is 2, or:
  2. enable auditing of Account Logon events on domain controllers and then watch your 672s.  672s also get logged for other situations besides users logging on at their workstation.  for that level of detail I suggest my Security Log Resource kit also available on this site.
Post #114
Posted 8/25/2009 6:47:20 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/25/2009 6:43:25 AM
Posts: 2, Visits: 0
I am also having trouble singling out actual interactive logons to workstations by trapping events on domain controllers. I've written a service that attaches to the Security event log, and looks for event 672 (and 4768 on 2008 servers), which seemed to work well, however on some windows networks I'm seeing lots of 672 events for an administrator account. This is confusing my custom auditing service, which then assumes the admin user has logged onto the workstation, when they have not.

You mention that things other than interactive logons can trigger even 672, and I'm wondering what these are, or if there is any reliable way to descriminate between these spurious 672 events and real interactive logins.

Any help much appreciated, regards, Dan...
Post #184
Posted 8/25/2009 10:39:09 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/25/2009 6:43:25 AM
Posts: 2, Visits: 0
I have found a solution, or work-around to filter out real logons from the spurious 672 events. Basically, with a proper interactive logon a successful 672 event is followed almost immediatly by a 673 event, with the same user credentials from the same Client IP address (computer workstation).

So I've changed the audit service I've written so that 672 events are placed in a tempory hash table, then if the event is followed by a 673 event from the same IP address using the same user credentials, then I trigger a logon event.

Seems to work well.
Post #185
Posted 8/26/2009 1:13:42 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That is a fairly safe assumption to make about that 2 event pattern.  The other 672s aren't really spurious - just triggered by other activity that requires authentication.
Post #186
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:45pm