Solved

Windows Security and Kerberos Question

Posted on 2009-07-02
1
529 Views
Last Modified: 2013-12-04
Hello,

    I'm reviewing the Authentications logs on our network, would it be safe to assume if Kerberos is listed as the protocol used that the user was physically sitting at their desk when logging in?  I notice in some of the log entries Kerberos isn't listed, it's just blank.  Trying to get a better understanding of the logon/logoff i.e. 528, 540 evt ID's.

   If you go to your event log, you'll see that it is normal to have 50 to 100 logon/logoff events in one day's time easily, however I know these are not all on the user, some of these events are a result of the network.  How does one tell, actual user from system/network event?
0
Comment
Question by:itsmevic
1 Comment
 
LVL 10

Accepted Solution

by:
Chris_Gralike earned 500 total points
ID: 24772602
Logon proceses :

Advapi                    
Triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt                                
User32                    
Normal Windows 2000 logon using WinLogon, usually also logged with windows update reboots.

SCMgr                    
Service Control Manager started a service                                

KsecDD                      
Network connections to the SMB server-for example, when you use a NET USE command                                

Kerberos                    
The Kerberos Security Support Provider [SSP] , can be utilized by applications to access remote or local resources using the  session provided KDC keys.

NtlmSsp                    
The NTLM SSP (NT LanManager Security Support provider)  used for instance with NTLM web / cifs authentication. http://en.wikipedia.org/wiki/NTLMSSP

Seclogon                    
Secondary Logon-that is, the RunAs command                                 IIS                     IIS performed the logon; generated when logging on the IUSR_machinename account or when using Digest or Basic authentication

Additional reading
I think this resource is a bit out-dated, but based on this one you might be able to find a newer one ;-)

http://technet.microsoft.com/en-us/library/cc751315.aspx

Hope this is what you where looking for ;)

Rgrds,
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question