?
Solved

Explaination of Security Logs

Posted on 2009-07-02
3
Medium Priority
?
230 Views
Last Modified: 2013-12-04
Hello,

    I'm curious to truely log a person's logon's and logoff's what event ID codes would one need to monitor?  Throughout the day, I know it is not abnormal to have 50, 60, 70 logon and logoff's in a days time i.e. Event ID: 528, 540 and 538, but not all of these are from the user alone, some of these entries are caused by the network, system ect....  

    How can you truely tell though if through user logon/logoff intervention that person is logging in or logging off of their system, something that would prove without a shadow of a doubt electronically that they are in the building physically logging and logging off their system.   What event ID codes would signify this?  

     Also, would doing a Control + Alt + Delete and locking the system generate a logout event ID i.e. 538 ? I'm assuming if it did log it as a 538 that logging back into that machine from a lock would generate  an event ID of 528 or 540.
0
Comment
Question by:itsmevic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 24769270
On XP, locking the desktop does create a logoff event, so does fastuser switching(not available in domain joined pc's).This is an interactive lock then logon event stream (in order)
538 Logon type 7 (logoff-type 7 means screen lock, windows+L or ctrl+alt+delete or screen saver lcok)
576 (Special privileges assigned to new logon)
528 Logon type 7(logon - type 7 means unlock)
552 (logon using explicit credentials)
680 (Account used for logon)
http://www.windowsecurity.com/articles/Logon-Types.html
That is just one type of login, from a RemoteDesktop session it changes, but only slightly.
Google the codes: http://www.google.com/search?hl=en&q=site%3Amicrosoft.com+event+id+540
http://kbase.gfi.com/showarticle.asp?id=KBID002974
-rich





0
 
LVL 8

Assisted Solution

by:jako
jako earned 1000 total points
ID: 24778457
the user can set up automatic processes (in Tasks special folder) which also use the user credentials to authenticate/login. I guess if you notice the pattern in the logins in periodic|matching intervals you can safely assume these to be automatic and filter these out. what's left should be interactive logins and from there you can assume something. BUT if, for instance, the user would be using cryptotunnelled VNC to access the computer and log in from remote there would be no way for you to differentiate this login from the one when he/she is actually in the building.

To be 100% sure that they are in the building physically logging in, you would need to go and shake his/her hand daily :D
0
 

Author Closing Comment

by:itsmevic
ID: 31599338
Thank you
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question