Explaination of Security Logs

Hello,

    I'm curious to truely log a person's logon's and logoff's what event ID codes would one need to monitor?  Throughout the day, I know it is not abnormal to have 50, 60, 70 logon and logoff's in a days time i.e. Event ID: 528, 540 and 538, but not all of these are from the user alone, some of these entries are caused by the network, system ect....  

    How can you truely tell though if through user logon/logoff intervention that person is logging in or logging off of their system, something that would prove without a shadow of a doubt electronically that they are in the building physically logging and logging off their system.   What event ID codes would signify this?  

     Also, would doing a Control + Alt + Delete and locking the system generate a logout event ID i.e. 538 ? I'm assuming if it did log it as a 538 that logging back into that machine from a lock would generate  an event ID of 528 or 540.
itsmevicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
On XP, locking the desktop does create a logoff event, so does fastuser switching(not available in domain joined pc's).This is an interactive lock then logon event stream (in order)
538 Logon type 7 (logoff-type 7 means screen lock, windows+L or ctrl+alt+delete or screen saver lcok)
576 (Special privileges assigned to new logon)
528 Logon type 7(logon - type 7 means unlock)
552 (logon using explicit credentials)
680 (Account used for logon)
http://www.windowsecurity.com/articles/Logon-Types.html
That is just one type of login, from a RemoteDesktop session it changes, but only slightly.
Google the codes: http://www.google.com/search?hl=en&q=site%3Amicrosoft.com+event+id+540
http://kbase.gfi.com/showarticle.asp?id=KBID002974
-rich





0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jakosysadminCommented:
the user can set up automatic processes (in Tasks special folder) which also use the user credentials to authenticate/login. I guess if you notice the pattern in the logins in periodic|matching intervals you can safely assume these to be automatic and filter these out. what's left should be interactive logins and from there you can assume something. BUT if, for instance, the user would be using cryptotunnelled VNC to access the computer and log in from remote there would be no way for you to differentiate this login from the one when he/she is actually in the building.

To be 100% sure that they are in the building physically logging in, you would need to go and shake his/her hand daily :D
0
itsmevicAuthor Commented:
Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.