EID - 540 Expand / Collapse
Author
Message
Posted 8/14/2009 3:18:41 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/14/2009 3:02:10 AM
Posts: 1, Visits: 0
Hi,

I am doing audit review for my company. In a server I can see in the log for EID - 540 from which workstation the access is made.

Here I is the see log details:

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F637364) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation NameHtf1

Here I can not see the same in the server :

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F669D39) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name:

Is there any differnace in this  NtLmSsp Authentication Package and Kerberos Authentication Package in capturing the logs...

Kishore

 

Post #175
Posted 8/14/2009 7:39:28 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I can't test it right now but my memory and knowledge of the difference between the 2 protocols says you may be right.  However there should be a field in the 540 event that specifies the workstation IP address.
Post #176
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:59pm