CHAPTER 4Account Logon
User and computer account logon information is one of the most common sources of the information about who, when, and how a specific host was accessed. In this chapter you will find information about how the Windows authentication subsystem works and how to monitor different account logon scenarios.
Microsoft Windows operating systems have thirteen default logon types. One logon type is assigned to each logon request and each type is handled differently by the operating system. Table 4-1 contains all Windows logon types and their descriptions.
Table 4-1: Windows Logon Types
| CONSTANT | NAME | DESCRIPTION |
| 0 | System | Local System account logon. (See the “Interactive Logon” section in this chapter.) |
| 2 | Interactive | Regular local logon where the account logs on using an interactive logon method. (See the “Interactive Logon” section in this chapter.) |
| 3 | Network | Network logon from another computer. (See the “Network Logon” section in this chapter.) |
| 4 | Batch | Batch job logon. Commonly used by Windows scheduled tasks. (See the “Batch and Service Logon” section in this chapter.) |
| 5 | Service | Used by Windows services. (See the “Batch and Service Logon” section in this chapter.) |
| 6 | Proxy | Proxy logon. |
| 7 | Unlock | A specific logon type for operating system Interactive or RemoteInteractive session unlock operations. (See the “Interactive and RemoteInteractive Session Lock Operation and Unlock Logon Type” section in this chapter.) |
| 8 | NetworkCleartext | Similar to ... |
Get Windows Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
