CHAPTER 3Auditing Subcategories and Recommendations
Advanced Auditing Policies functionality was introduced in Windows Vista/Windows Server 2008 and at the time this book was written contains 59 subcategories.
In this chapter you will find descriptions for each Advanced Auditing subcategory and recommended settings for domain controllers, member servers, and workstations.
Account Logon
This category contains subcategories for the LAN Manager family of protocols (LM, NTLM, NTLMv2) and Kerberos protocol auditing.
Audit Credential Validation
The following event is reported by this subcategory:
ID | NAME | SUCCESS | FAILURE | DESCRIPTION |
4776 | The computer attempted to validate the credentials for an account | Yes | Yes | Host performed validation of account's credentials, which were received by Lan Manager family protocol. |
This subcategory contains successful and failed Lan Manager family protocol credential validation events. Lan Manager family protocols include LM, NTLM, and NTLMv2 protocols. Events from this subcategory occur only on the host that stores the account's credentials.
There are two main scenarios for NTLM credentials validation: local account authentication and domain account authentication.
Domain computer accounts and user accounts both can be authenticated using the NTLM authentication protocol. Credential validation for domain accounts always occurs on a domain controller. ...
Get Windows Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.