Windows Security Log Event ID 514

514: An authentication package has been loaded by the Local Security Authority

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

Event 514 is logged once at startup for each authentication package on the system.

An authentication package is a DLL that encapsulates a given form of authentication, such as NTLM or Kerberos. The Local Security Authority calls into the appropriate authentication package during the logon process to find out if the user is authentic.

Although a third party can develop an authentication package, few do so. The standard packages that come with Windows Server 2003 are as follows: 

• Microsoft Authentication Package V1_0
• Wdigest
• Microsoft Unified Security Protocol Provider
• Schannel
• NTLM
• Kerberos
• Negotiate

The security implication of event 514, realistically, is low. Although a rogue package could cause great harm by stealing credentials at the time of logon, the effort required in developing and installing a rogue authentication package is significant.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 514

• Authentication Package Name: The full path of the dll and the package name

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy