Forum

Ultimate Windows Security Forum » Security Log » 540 - Successful Network Logon » EID - 540

EID - 540

Rate Topic

Display Mode

Topic Options

Author

Message

kitchu25

Posted 8/14/2009 3:18:41 AM

Forum Newbie

Group: Forum Members
Last Login: 8/14/2009 3:02:10 AM
Posts: 1, Visits: 0

Hi,

I am doing audit review for my company. In a server I can see in the log for EID - 540 from which workstation the access is made.

Here I is the see log details:

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F637364) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: Htf1

Here I can not see the same in the server :

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F669D39) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name:

Is there any differnace in this NtLmSsp Authentication Package and Kerberos Authentication Package in capturing the logs...

Kishore

Post #175

RandyFranklinSmith

Posted 8/14/2009 7:39:28 AM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0

I can't test it right now but my memory and knowledge of the difference between the 2 protocols says you may be right. However there should be a field in the 540 event that specifies the workstation IP address.

Post #176

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 4:59pm

Upcoming Webinars

Beyond IP/Hash/Domain: Leveraging Threat Feed Metadata for Better Context and Accuracy

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.