The Art of Reading a Windows 2000 Logon Event

[Previous] [Next]

Because connections in Windows 2000 are authenticated, you need to understand how to read logon events. The purpose of this section is to explain the different variables that make up a logon event.

Logon/Logoff Audit Settings

Microsoft Windows NT includes only one audit category for logon and logoff. Windows 2000 introduces a second. The two categories—Logon/Logoff and Account Logon—are explained in the following sections.

Audit account logon events (Logon/Logoff category)

This event category, available in all versions of Windows NT and Windows 2000, indicates that an account logged on or off or made a network connection to the computer. In other words, the audit event is triggered on the computer where the logon occurs. The Logon/Logoff category is important because it provides the most information when using IIS, SQL Server, and COM+.

The most significant events in the Logon/Logoff category are

  • Logon/Logoff event 529 (logon failure)
  • Logon/Logoff event 528 (logon success)
  • Logon/Logoff event 540 (network logon success)

The following sections show these events, and Table 11-3 explains each of the fields in the events.

Logon/Logoff event 529 (logon failure)

 Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 9/3/1999 Time: 8:57:21 PM User: NT AUTHORITY\SYSTEM Computer: CHERYL-LAPTOP Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: CHERYL-LAPTOP Logon Type: 2 Logon Process: seclogon Authentication Package: Negotiate Workstation Name: CHERYL-LAPTOP 

Logon/Logoff event 528 (logon success) and Logon/Logoff event 540 (network logon success)

 Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 1/23/2000 Time: 5:41:39 PM User: EXAIR\Cheryl Computer: CHERYL-LAPTOP Description: Successful Network Logon: User Name: cheryl Domain: EXAIR Logon ID: (0x0,0x17872A8) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: 

Table 11-3. Success and failure logon fields.

FieldComments
Event Type, Source, Category, and ID; Date; and Time All self-explanatory.
User

The user account performing the logon.

For example, this might be NT AUTHORITY\SYSTEM, which is the LocalSystem account used to start many Windows 2000 services.

Computer The computer on which the event occurred.
Reason Applies to logon failures only; it's the reason the account failed to log on.
User Name The name of the user account attempting to log on.
Domain The domain of the user account attempting to log on.
Logon Type A numeric value indicating the type of logon attempted. Possible values are

  • 2 - Interactive (interactively logged on)
  • 3 - Network (accessed system via network)
  • 4 - Batch (started as a batch job)
  • 5 - Service (a Windows service started by service controller)
  • 6 - Proxy (proxy logon; not used in Windows NT or Windows 2000)
  • 7 - Unlock (unlock workstation)
  • 8 - NetworkCleartext (network logon with cleartext credentials)
  • 9 - NewCredentials (used by RunAs when the /netonly option is used)
Logon Process The process performing the logon. The following are some example logon processes:

  • Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)
  • User32 (normal Windows 2000 logon using WinLogon)
  • SCMgr (Service Control Manager started a service)
  • KsecDD (network connections to the SMB server—for example, when you use a NET USE command)
  • Kerberos (the Kerberos Security Support Provider [SSP])
  • NtlmSsp (the NTLM SSP)
  • Seclogon (Secondary Logon—that is, the RunAs command)
  • IIS (IIS performed the logon; generated when logging on the IUSR_machinename account or when using Digest or Basic authentication)
Authentication Package

The security package called to attempt to log on the account. An authentication package is a dynamic-link library (DLL) that analyzes logon data and determines whether to authenticate an account.

Most common examples are

  • Kerberos
  • Negotiate
  • NTLM
  • MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (also called MSV1_0; authenticates users in the SAM database, supports pass-through authentication to accounts in trusted domains, and supports subauthentication packages)
Workstation Name Workstation name, if known, used by the principal during logon.

Audit account logon events (Account Logon category)

This event category indicates that an account logged on or off and that the computer was used to validate the account. In this case, the audit event is triggered on the computer where the account resides. Many Kerberos-related events, such as ticket issuing, are logged when this audit category is enabled.

The following sections show two often-seen account logon failure events.

Account Logon event 676 (logon failure): Authentication Ticket Request Failed

 Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 676 Date: 5/11/2000 Time: 8:47:01 PM User: NT AUTHORITY\SYSTEM Computer: DBSERVER Description: Authentication Ticket Request Failed: User Name: Major Supplied Realm Name: EXPLORATIONAIR.COM Service Name: krbtgt/EXPLORATIONAIR.COM Ticket Options: 0x40810010 Failure Code: 6 Client Address: 172.100.100.12 

NOTE
What is the NT AUTHORITY\SYSTEM account? This account is usually referred to as LocalSystem; it's the account under which most services run. You'll see many references to this account in the Security Event Log.

Event 676 signifies that Major could not get an initial ticket granting ticket (TGT) from the Key Distribution Center (KDC). The most important part of the event is the failure code. These codes are the same as the MIT Kerberos codes. Table 11-4 describes some of the most common failure codes; a full list can be found in the main Kerberos Request For Comments: RFC 1510.

Table 11-4. Some common Kerberos failure codes.

Failure CodeComments
6Client not found in the Kerberos database.
7Server not found in the Kerberos database. This generally indicates a service principal name (SPN) has not been registered for the service.
23Password has expired.
32Ticket has expired.
33Ticket not yet valid.
34Request is a replay. Someone is trying to play back a Kerberos client's response; you are possibly being attacked.
37Clock skew too great. Kerberos is time-critical; make sure all clocks are synchronized.

Account Logon event 681 (logon failure) with a large number for the error code

You might sometimes see an error like the following. The problem is that the error code is virtually useless.

 Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 681 Date: 5/11/2000 Time: 8:47:01 PM User: NT AUTHORITY\SYSTEM Computer: DBSERVER Description: The logon to account: Major by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: WEBSERVER failed. The error code was: 3221225572 

Table 11-5 describes some of the more common error codes.

Table 11-5. Example Account Logon error codes.

Error Code (Decimal)Error Code (Hex)Comments
32212255720xC0000064The specified user does not exist.
32212255700xC0000062The name provided is not a properly formed account name.
32212255690xC0000061A required privilege is not held by the client.
32212255780xC000006AWhen trying to update a password, this return status indicates that the value provided as the current password is not correct.
32212255800xC000006CWhen trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria.
32212255850xC0000071The user account's password has expired.
32212255860xC0000072The referenced account is currently disabled.

If you correlate the previous two security failure events—Major's request for an initial TGT failing with error 6 (Client not found in the Kerberos database) when he attempted to log on and a generic logon failure occurring with error 3221225572 (The specified user does not exist)—it's plain to see what the error is: Major isn't a valid account!

Now let's look at the next most important log type: the IIS log.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net