|
|
|
Forum Newbie
Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4,
Visits: 0
|
|
Hello,
What would be the best practice in trtrulyapturing the logon's/logoff's of a physical being. Withover 50 to 100 of these type event codes 538's, 528's and 540's it's hard determining what is what in our logs, so it's difficult to say when the user actually "physically" logging on or off of their machine. What would be the the best practice to interpret these entries if doing an audit on a user? Should we also obtain their SecEvent.EVT file from their local system as well? Thanks for you help.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
| You really need to monitor each local workstation for 528 (logon type 2) and 538/551. Not want you want to hear but that is the really the only way.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4,
Visits: 0
|
|
| Hi Randy, thanks for responding. So just to confirm what you have said, you literally have to pull the secEvent.EVT file from each system to truely get the most accurate logon/logoff results of a user?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
| Yes, because it's only the workstation that really has knowledge of the user's logon session. We can do a pretty good job of picking out initial workstation logons from domain controllers if you have multi-event correllation capabilities but it's not 100% correct and it only tells you about the initial logon - not the logoff at all. Forget file servers.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4,
Visits: 0
|
|
| Hi Randy, appreciate ya sticking with me on this, one last question. What we've discussed here I assume you already know I'm speaking about best practices for capturing logon/logoffs in a domain environment would this discussion still apply to that scenerio?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
| Yes, domain environment was already assumed. You see, there's really no such thing as "logging onto the domain". When you logon to your workstation with a domain account, your workstation checks with the domain controller to authenticate you but your logon session is to the workstation itself. The domain controller doesn't keep track of the fact you are logged on; it doesn't even know how you logged on in terms of interactive, network, remote desktop, schedule task, service, etc.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4,
Visits: 0
|
|
| Thanks for your help Randy, you are the man!
|
|
|
|