The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext. The new logon session has the same local identity, but uses different credentials for other network connections. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
Transmitted services are populated if the logon was a result of a S4U Service For User logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user — most commonly done by a front-end website to access an internal resource on behalf of a user.
Possible values are:. Typically, it has a length of bits or 56 bits. For this event, also see Appendix A: Security monitoring recommendations for many audit events. To monitor for a mismatch between the logon type and the account that uses it for example, if Logon Type 4-Batch or 5-Service is used by a member of a domain administrative group , monitor Logon Type in this event.
We recommend monitoring all events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets. We recommend monitoring all events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:. If a specific account, such as a service account, should only be used from your internal IP address list or some other list of IP addresses.
If a particular version of NTLM is always used in your organization. In this case, monitor for Key Length not equal to , because all Windows operating systems starting with Windows support bit Key Length.
Skip to main content. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No.
Any additional feedback? Note For recommendations, see Security Monitoring Recommendations for this event. Note A security identifier SID is a unique value of variable length used to identify a trustee security principal.
Submit and view feedback for This product This page. View all page feedback. In this article. Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. A user logged on to this computer with network credentials that were stored locally on the computer.
The domain controller was not contacted to verify the credentials. High-value accounts : You might have high-value domain or local accounts for which you need to monitor each action. Over 1,, fellow IT Pros are already on-board, don't be left out! TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.
Logon Type 2 — Interactive This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. Logon Type 3 — Network Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. Logon Type 4 — Batch When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created.
Logon Type 5 — Service Similar to Scheduled Tasks, each service is configured to run as a specified user account. Post Views: , Prince December 18, at am. Kevfter March 31, at am. Peter King March 31, at pm. Leave a Reply Cancel reply Your email address will not be published. Join Our Newsletter Learn about the latest security threats, system optimization tricks, and the hottest new technologies in the industry.
I understand that by submitting this form my personal information is subject to the TechGenix Privacy Policy.
0コメント