Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Windows 2000 Audit Question

From: "Tiago Halm" <thalm () netcabo pt>
Date: Tue, 5 Aug 2003 03:09:13 +0100
After reading this MSDN statement:

.....
Audit logon events

Determines whether to audit each instance of a user logging on, logging off,
or making a network connection to this computer.
If you are auditing successful Audit account logon events on a domain
controller, then workstation logons do not generate logon audits. Only
interactive and network logons to the domain controller itself generate
logon events. In short, "account logon events" are generated where the
account lives. "Logon events" are generated where the logon occurs.
......

Seems that if it is a domain account, then "account logon events" are
generated in the domain controller and "logon events" are generated in the
workstation where the logon occurred.
If the account is local, and the logon occurs in that same machine, both
events are generated in that same machine.
Accessing a shared folder also implies a logon (authentication) which means
that the generation of events follows the same rule described in the MSDN
statement above.

Hope it helps,
Tiago Halm

-----Original Message-----
From: McGill, Lachlan [mailto:mcgilll1 () anz com] 
Sent: segunda-feira, 4 de Agosto de 2003 23:26
To: Michael Ungar; security-basics () securityfocus com
Subject: RE: Windows 2000 Audit Question


I'm fairly sure that 1 applies to domain logons and 2 applies to any other
connection that requires authentication. eg. accessing a shared folder.

-----Original Message-----
From: Michael Ungar [mailto:m_ungar () yahoo com]
Sent: Sunday, 3 August 2003 3:42 PM
To: security-basics () securityfocus com
Subject: Windows 2000 Audit Question


Windows 2000 has 2 Audit Policy Settings;

1 - Audit account logon events &
2 - Audit logon events

I'm not totally clear on the difference. I know the
first one is used as a central repository for auditing
logons (e.g., domain account logons to multiple
servers can get recorded to the central domain
controller log file), but not sure as to second. Does
the second setting record successes / failures of
local authentication attempts ?

Thanks...Mike Ungar

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: