The logon/logoff category of the Windows security log gives you the ability to monitor all attempts to access the local computer. In this article I’ll examine each logon type in greater detail and show you how some other fields in Logon/Logoff events can be helpful for understanding the nature of a given logon attempt.
Active Directory is one of the most important areas of Windows that should be monitored for intrusion prevention and the auditing required by legislation like HIPAA and Sarbanes-Oxley. I say that because Active Directory is home to objects most associated with user access: user accounts, groups, organizational units and group policy objects. This article deals with monitoring users and groups using the Windows Security Log.
On Windows 2000 and Windows Server 2003 you can track all the logon activity within your domain by going no futher than your domain controller security logs. But you must interpret Kerberos events correctly in order to to identify suspicious activity. This article explains how Kerberos works in the Windows environment and how to understand the cryptic codes your find in the security log.
Beginning with Windows 2000, Microsoft introduced a new audit policy called “Audit account logon events” which solved one of the biggest shortcomings with the Windows security log. Until this new category it was impossible to track logon activity for domain accounts using your domain controllers’ security logs. This article will explain how to decipher authentication event on your domain controllers.