April 2018
Intermediate to advanced
648 pages
14h 51m
English
Content preview from Windows Security Monitoring
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
CHAPTER 4Account Logon
User and computer account logon information is one of the most common sources of the information about who, when, and how a specific host was accessed. In this chapter you will find information about how the Windows authentication subsystem works and how to monitor different account logon scenarios.
Microsoft Windows operating systems have thirteen default logon types. One logon type is assigned to each logon request and each type is handled differently by the operating system. Table 4-1 contains all Windows logon types and their descriptions.
Table 4-1: Windows Logon Types
| CONSTANT | NAME | DESCRIPTION |
| 0 | System | Local System account logon. (See the “Interactive Logon” section in this chapter.) |
| 2 | Interactive | Regular local logon where the account logs on using an interactive logon method. (See the “Interactive Logon” section in this chapter.) |
| 3 | Network | Network logon from another computer. (See the “Network Logon” section in this chapter.) |
| 4 | Batch | Batch job logon. Commonly used by Windows scheduled tasks. (See the “Batch and Service Logon” section in this chapter.) |
| 5 | Service | Used by Windows services. (See the “Batch and Service Logon” section in this chapter.) |
| 6 | Proxy | Proxy logon. |
| 7 | Unlock | A specific logon type for operating system Interactive or RemoteInteractive session unlock operations. (See the “Interactive and RemoteInteractive Session Lock Operation and Unlock Logon Type” section in this chapter.) |
| 8 | NetworkCleartext | Similar to ... |