WinSecWiki

WinSecWiki » Windows Security Settings » Local Policies » Audit Policy » Audit account logon events » OVERVIEW: Audit Account Logon Events

OVERVIEW: Audit Account Logon Events

Expand / Collapse
 
     

OVERVIEW: Audit Account Logon Events


Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM.

The following is an exerpt from my book, The Windows Server Security Log Revealed :

Microsoft should have named this category Authentication instead of Account Logon to reduce confusion between it and the Logon/Logoff category. On DCs, these events allow you to track all attempts to log on with a domain user account, regardless of where the attempt originates. On a workstation or member server, these events document any attempts to log on by using a local account stored in that computer’s SAM.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
  • Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See  Audit Category: Account Logon (Windows Server 2008 and Vista) .

Add Your Comments


Name: *
Email Address:
Web Address:
Verification Code:
*
 

Details
Rated 4 stars based on 1 vote.
Article has been viewed 7,026 times.
Options