Account Logon and Logon Events
This lesson examines two specific policy settings: Audit Account Logon Events and Audit Logon Events. It is important that you understand
the difference between these two similarly named policy
settings.
When a user logs on to any computer in the domain using a domain
user account, a domain controller authenticates the attempt to log on
to the domain account. This generates an account logon event on the
domain controller.
The computer to which the user logs on—for example, the user’s
laptop—generates a logon event. The computer did not authenticate the
user against his or her account—it passed the account to a domain
controller for validation. The computer did, however, allow the user
to log on interactively to the computer. Therefore, the event is a
logon event.
When the user connects to a folder on a server in the domain,
that server authorizes the user for a type of logon called a
network logon. Again, the server does not
authenticate the user—it relies on the ticket given to the user by the
domain controller. However, the connection by the user generates a
logon event on the server.
Tip
Be certain that you can distinguish between account
logon events and logon events. The
simplest way to remember the difference is that an account logon
event occurs where the account lives: on the domain controller that
authenticates the user. A logon event occurs on the computer to
which the user logs on interactively. It also occurs on the file
server to which the user connects using a network logon.
Configuring Authentication-Related Audit Policies
Account logon and logon events can be audited by Windows Server
2008 R2. The settings that manage auditing are located in a GPO in the
Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Audit Policy node. The Audit Policy node and the two
settings detailed in the previous section are shown in Figure 1.
To configure an audit policy, double-click the policy, and its
properties dialog box appears. The Audit Account Logon Events
Properties dialog box is shown in Figure 2.
The policy setting can be configured to one of the following
four states:
-
Not defined If the Define
These Policy Settings check box is cleared, the policy setting is
not defined. In this case, the server audits events based on its
default settings or on the settings specified in another
GPO.
-
Defined for no auditing If
the Define These Policy Settings check box is selected, but the
Success and Failure check boxes are cleared, the server will not
audit these events.
-
Audit successful events If
the Define These Policy Settings check box is selected, and the
Success check box is selected, the server will log successful
events in its Security log.
-
Audit failed events If the
Define These Policy Settings check box is selected, and the
Failure check box is selected, the server will log unsuccessful
events in its Security log.
A server’s audit behavior is determined by the settings that are
applied as the resultant set of policy. In Windows Server 2008 R2, the
default setting is to audit successful account logon events and
successful logon events. So both types of events are, if successful,
entered in the server’s Security log. If you want to audit failures or
turn off auditing, you must define the appropriate setting in the
audit policy.
As with all policy settings, you should scope settings so that
they affect the correct systems. For example, if you want to audit
attempts by users to connect to remote desktop servers in your
enterprise, you can configure logon event auditing in a GPO linked to
the OU that contains your remote desktop servers. If, on the other
hand, you want to audit logons by users to desktops in your human
resources department, you can configure logon event auditing in a GPO
linked to the OU containing human resources computer objects. Remember
that domain users logging on to a client computer or connecting to a
server will generate a logon event—not an account logon event—on that
system.
Only domain controllers generate account logon events for domain
users. Remember that an account logon event occurs on the domain
controller that authenticates a domain user, regardless of where that
user logs on. If you want to audit logons to domain accounts, you
should scope account logon event auditing to affect only domain
controllers. In fact, the Default Domain Controllers GPO that is
created when you install your first domain controller is an ideal GPO
in which to configure account logon audit policies.
Account logon and logon events, if audited, appear in the
Security log of the system that generated the event.
Figure 3 shows an
example. So if you are auditing logons to computers in the human
resources department, the events are entered in each computer’s
Security log. Similarly, if you are auditing unsuccessful account
logons to identify potential intrusion attempts, the events are
entered in each domain controller’s Security log. This means, by
default, that you will need to examine the Security logs of all domain
controllers to get a complete picture of account logon events in your
domain.
As you can imagine, in a complex environment with multiple
domain controllers and many users, auditing account logons or logons
can generate a tremendous number of events. If there are too many
events, it can be difficult to identify problematic events worthy of
closer investigation. You should balance the amount of logging you
perform with the security requirements of your business and the
resources you have available to analyze logged events.
Practice Auditing Authentication
Practice Auditing Authentication
In this practice, you use Group Policy to enable auditing of
logon activity by users in the contoso.com domain. You then
generate logon events and view the resulting entries in the event
logs.
EXERCISE 1 Configure Auditing of
Account Logon Events
In this exercise, you modify the Default Domain Controllers
Policy GPO to implement auditing of both successful and failed
logons by users in the domain.
-
Open Group Policy Management from the Administrative
Tools program group.
-
Expand Forest, Domains, Contoso.com, and Domain
Controllers.
-
Right-click Default Domain Controllers Policy and choose
Edit.
Group Policy Management Editor appears.
-
Expand Computer Configuration, Policies, Windows
Settings, Security Settings, and Local Policies, and then
click Audit Policy.
-
Double-click Audit Account Logon Events.
-
Select the Define These Policy Settings check
box.
-
Select both the Success and Failure check boxes. Click
OK.
-
Double-click Audit Logon Events.
-
Select the Define These Policy Settings check
box.
-
Select both the Success and Failure check boxes. Click
OK.
-
Close Group Policy Management Editor.
-
Open Command Prompt and type gpupdate.exe /force.
This command causes SERVER01 to update its policies, at
which time the new auditing settings take effect.
EXERCISE 2 Generate Account Logon
Events
In this exercise, you generate account logon events by
logging on with both incorrect and correct passwords.
-
Log off of SERVER01.
-
Attempt to log on as Administrator with an incorrect
password. Repeat this step once or twice.
-
Log on to SERVER01 with the correct password.
EXERCISE 3 Examine Account Logon
Events
In this exercise, you view the events generated by the logon
activities in Exercise 2.
-
Open Event Viewer from the Administrative Tools program
group.
-
Expand Windows Logs, and then click Security.
-
Identify the failed and successful events.
