Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Security and Kerberos Question

Posted on 2009-07-02
1
Medium Priority
?
548 Views
Last Modified: 2013-12-04
Hello,

    I'm reviewing the Authentications logs on our network, would it be safe to assume if Kerberos is listed as the protocol used that the user was physically sitting at their desk when logging in?  I notice in some of the log entries Kerberos isn't listed, it's just blank.  Trying to get a better understanding of the logon/logoff i.e. 528, 540 evt ID's.

   If you go to your event log, you'll see that it is normal to have 50 to 100 logon/logoff events in one day's time easily, however I know these are not all on the user, some of these events are a result of the network.  How does one tell, actual user from system/network event?
0
Comment
Question by:itsmevic
1 Comment
 
LVL 11

Accepted Solution

by:
Chris Gralike earned 2000 total points
ID: 24772602
Logon proceses :

Advapi                    
Triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt                                
User32                    
Normal Windows 2000 logon using WinLogon, usually also logged with windows update reboots.

SCMgr                    
Service Control Manager started a service                                

KsecDD                      
Network connections to the SMB server-for example, when you use a NET USE command                                

Kerberos                    
The Kerberos Security Support Provider [SSP] , can be utilized by applications to access remote or local resources using the  session provided KDC keys.

NtlmSsp                    
The NTLM SSP (NT LanManager Security Support provider)  used for instance with NTLM web / cifs authentication. http://en.wikipedia.org/wiki/NTLMSSP

Seclogon                    
Secondary Logon-that is, the RunAs command                                 IIS                     IIS performed the logon; generated when logging on the IUSR_machinename account or when using Digest or Basic authentication

Additional reading
I think this resource is a bit out-dated, but based on this one you might be able to find a newer one ;-)

http://technet.microsoft.com/en-us/library/cc751315.aspx

Hope this is what you where looking for ;)

Rgrds,
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question