How to do Logon Session Auditing with the Windows Security Log

Webinar Registration

How do you figure out when someone was actually logged onto their PC? The data is there in the security log but it’s so much harder than you’d think.

First of all, while I said it’s in the security log, I didn’t say which one. The bad news is that the actual events denoting the beginning and end of a logon session are not in the domain controller log. Domain controllers know when you logon but they don’t know when you logoff. This is because domain controllers just handle initial authentication to the domain and subsequent authentications to each computer on the network. These are reflected as Kerberos events for Ticket-Granting Tickets and Service Tickets respectively. But domain controllers are not contacted and have no knowledge when you logoff, lock your console, sleep or hibernate, or when your screen saver kicks in.

Logon session auditing isn’t just a curious technical challenge. At every tradeshow and conference I go to, people come to me with various security and compliance requirements where they need this capability. In fact, one of the cases where I’ve been consulted as an expert witness centered around the interpretation of logon events for session auditing.

In this webinar, I will show you 2 ways to track logon sessions:

  1. With workstation logs:
    • This method is less tricky in terms of analysis, but very heavy in terms of log collection since we’re talking about the most numerous class of systems on your network – not to mention the fact that workstations are up and down and in and out of your network constantly.
  2. With domain controller logs:
    • This requires much more sophisticated analysis capabilities but is much lighter in terms of log management, since we are talking about just your domain controllers at a minimum and any additional servers as bonus.

Logon Session Auditing with Workstation Logs

I’ll show how you need to enable 3 audit subcategories:

  • Logon
  • Logoff
  • Other Logon/Logoff

And then how to analyze logon/logoff, RDP session connection/disconnection/reconnection and lock/unlock events.

Logon Session Auditing with Domain Controller Logs

In this case, we’ll rely primarily on Account Logon events from just your domain controllers and the key events will be:

  • 4768 - A Kerberos authentication ticket (TGT) was requested
  • 4769 - A Kerberos service ticket was requested
  • 4770 - A Kerberos service ticket was renewed

Using these events requires a basic understanding of Kerberos and a deeper understanding of how Windows interacts with domain controllers via Kerberos when you login first thing in the morning or unlock your workstation after returning to it from lunch.

Moreover, we’ll discuss how to correlate these events, because that’s what it’s all about when it comes to figuring out logon sessions. It is by no means a cakewalk. Matching these events is like sequencing DNA but the information is there and I’ll show you how to tease it out.

And that’s where our sponsor, Exabeam comes in, who are experts in UEBA (user entity behavior analysis). Exabeam will show how they figure out logon session by correlating these events and others using some complex correlation capabilities and a deep understanding of Windows logon and authentication.

Don’t miss this educational and technical session. Please register now!

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  
Company Size:

Your information will be shared with the sponsor.



Additional Resources