Windows Security and Kerberos Question

Posted on 2009-07-02
Last Modified: 2013-12-04

    I'm reviewing the Authentications logs on our network, would it be safe to assume if Kerberos is listed as the protocol used that the user was physically sitting at their desk when logging in?  I notice in some of the log entries Kerberos isn't listed, it's just blank.  Trying to get a better understanding of the logon/logoff i.e. 528, 540 evt ID's.

   If you go to your event log, you'll see that it is normal to have 50 to 100 logon/logoff events in one day's time easily, however I know these are not all on the user, some of these events are a result of the network.  How does one tell, actual user from system/network event?
Question by:itsmevic
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 11

Accepted Solution

Chris Gralike earned 500 total points
ID: 24772602
Logon proceses :

Triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt                                
Normal Windows 2000 logon using WinLogon, usually also logged with windows update reboots.

Service Control Manager started a service                                

Network connections to the SMB server-for example, when you use a NET USE command                                

The Kerberos Security Support Provider [SSP] , can be utilized by applications to access remote or local resources using the  session provided KDC keys.

The NTLM SSP (NT LanManager Security Support provider)  used for instance with NTLM web / cifs authentication.

Secondary Logon-that is, the RunAs command                                 IIS                     IIS performed the logon; generated when logging on the IUSR_machinename account or when using Digest or Basic authentication

Additional reading
I think this resource is a bit out-dated, but based on this one you might be able to find a newer one ;-)

Hope this is what you where looking for ;)


Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question