【Windows安全日志】winLogonType 取值说明
LogonType 分布
Windows安全日志的登录/注销类别使您能够监视访问本地计算机的所有尝试。在本文中,我将更详细地检查每种登录类型,并向您展示登录/注销事件中的其他字段如何有助于理解给定登录尝试的性质。
事件ID 528和540表示登录成功,事件ID 538表示注销,此类别中的所有其他事件确定登录失败的不同原因。然而,仅仅知道一次成功或失败的登录尝试并不能说明一切。由于Windows提供的所有服务,您可以通过许多不同的方式登录到计算机,例如在计算机的本地键盘和屏幕上交互登录,通过驱动器映射通过网络登录,或通过终端服务(又称远程桌面)登录,或通过IIS登录。幸运的是,登录/注销事件指定了“登录类型”代码,该代码显示了提示事件的登录类型。
登录类型2–交互式
当你想到登录,也就是在计算机控制台上登录时,首先会发生这种情况。当用户尝试 使用本地键盘和屏幕登录 时,无论是使用域帐户还是计算机本地SAM的本地帐户,您都会看到类型2登录。要区分尝试使用本地帐户还是域帐户登录,请在事件描述中查找用户名之前的域或计算机名。不要忘记,从Windows的角度来看,通过KVM over IP组件或服务器专有的“lights out”远程KVM功能进行登录仍然是交互式登录,并将以这种方式进行记录。
登录类型3–网络
在大多数情况下,当您从网络上的其他位置访问计算机时,Windows会记录登录类型3。登录类型为3的登录事件的最常见来源之一是与**共享文件夹或打印机 **的连接。但其他通过网络登录的登录被归类为登录类型3,以及大多数登录到IIS的登录。(以下登录类型8中解释了基本身份验证的例外情况。)
登录类型4–批处理
当Windows执行计划任务时,计划任务服务首先为任务创建一个新的登录会话,以便它可以在创建任务时指定的用户帐户的权限下运行。当尝试登录时,Windows将其作为登录类型4进行记录。其他作业计划系统根据其设计,在启动作业时也可能生成登录类型为4的登录事件。登录类型4事件通常只是无辜的计划任务启动,但恶意用户可能试图通过计划任务猜测帐户密码,从而破坏安全。这样的尝试将生成登录类型为4的登录失败事件。但是,与计划任务关联的登录失败也可能是由于管理员在创建任务时输入了错误的帐户密码,或者在未修改计划任务以使用新密码的情况下更改了帐户密码。
登录类型5–服务
与计划任务类似,每个服务都配置为作为指定的用户帐户运行。当服务启动时,Windows首先为指定的用户帐户创建登录会话,这将导致登录类型为5的登录/注销事件。登录类型为五的失败登录事件通常表示帐户密码已更改,但未更新服务,但也始终有可能是恶意用户在工作。然而,这不太可能,因为创建新服务或编辑现有服务默认情况下需要Administrators或Server Operators的成员资格,而这样的用户如果是恶意的,可能已经有足够的权限来实现其期望的目标。
登录类型7–解锁
希望当用户离开计算机时,网络上的工作站会自动启动受密码保护的屏幕保护程序,从而保护无人值守的工作站免受恶意使用。当用户返回其工作站并解锁控制台时,Windows会将其视为登录并记录相应的登录/注销事件,但在这种情况下,登录类型将为7–将该事件标识为工作站解锁尝试。登录类型为7的登录失败表明用户输入了错误的密码,或者恶意用户试图通过猜测密码来解锁计算机。
登录类型8–NetworkCleartext
此登录类型指示类似于登录类型3的网络登录,但其中密码以明文形式通过网络发送。Windows服务器不允许使用明文身份验证连接到共享文件或打印机。我所知道的唯一情况是使用ADVAPI从ASP脚本中登录,或者当用户使用IIS的基本身份验证模式登录到IIS时。在这两种情况下,事件描述中的登录过程都会列出advapi。基本身份验证只有在未包装在SSL会话(即https)中时才是危险的。至于ASP生成的登录,脚本要记住,出于维护目的,在源代码中嵌入密码是一种不好的做法,也存在恶意用户查看源代码从而获取密码的风险。
登录类型9–新凭据
如果您使用RunAs命令在其他用户帐户下启动程序并指定/netonly开关,Windows将记录登录类型为9的登录/注销事件。当您使用/netonly/运行方式启动程序时,该程序将作为当前登录的用户在本地计算机上执行,但不会连接到网络上的其他计算机,Windows使用运行方式命令中指定的帐户将您连接到这些计算机。如果没有/netonly,Windows将以指定用户身份在本地计算机和网络上运行程序,并使用登录类型2记录登录事件。
登录类型10–远程交互
当您 通过终端服务访问计算机 时,远程桌面或远程协助窗口 使用登录类型10记录登录尝试,这样可以轻松区分真正的控制台登录和远程桌面会话。但是请注意,在XP之前,Windows 2000不使用登录类型10,终端服务登录报告为登录类型2。
登录类型11–CachedInteractive
Windows支持名为缓存登录的功能,方便移动用户使用。当您未连接到组织的网络并尝试使用域帐户登录到笔记本电脑时,笔记本电脑没有可用的域控制器来验证您的身份。为了解决这个问题,Windows缓存了最近10次交互式域登录的凭据哈希。稍后当没有可用的域控制器时,当您尝试使用域帐户登录时,Windows会使用这些哈希来验证您的身份。
结论
我希望这篇关于登录类型及其含义的讨论能够帮助您密切关注Windows网络,并尝试拼凑用户访问计算机的不同方式。注意登录类型很重要,因为不同的登录类型会影响您从安全角度解释登录事件的方式。例如,由于用户必须始终通过网络访问服务器,因此服务器上的网络登录失败可能令人惊讶。但工作站安全日志中失败的网络登录尝试是不同的。为什么有人试图通过网络访问其他人的工作站?如您所见,理解安全日志是值得的。
LogonType codes revealed
The log-on/log-off category of the Windows security log gives you the ability to monitor all attempts to access the local computer. In this article I’ll examine each log-on type in greater detail and show you how some other fields in Logon/Logoff events can be helpful for understanding the nature of a given log-on attempt.
Event IDs 528 and 540 signify a successful log-on, event ID 538 a log-off and all the other events in this category identify different reasons for a log-on failure. However, just knowing about a successful or failed log-on attempt doesn’t fill in the whole picture. Because of all the services Windows offers, there are many different ways you can log on to a computer, such as interactively at the computer’s local keyboard and screen, over the network through a drive mapping or through terminal services (aka remote desktop) or through IIS. Thankfully, log-on/log-off events specify the Logon Type code, which reveals the type of log-on that prompted the event.
Log-on Type 2: Interactive
[ Related: How to protect your privacy in Windows 10 ]
This is what occurs to you first when you think of log-ons, that is, a log-on at the console of a computer. You’ll see these types of log-ons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM.
To tell the difference between an attempt to log on with a local or domain account, look for the domain or computer name preceding the user name in the event’s description. Don’t forget that log-on’s through a KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive log-ons from the standpoint of Windows and will be logged as such.
Log-on Type 3: Network
Windows logs log-on type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of log-on events with log-on type 3 is connections to shared folders or printers. But other over-the-network log-ons are classed as log-on type 3 as well such as most log-ons to IIS. (The exception is basic authentication which is explained in Log-on Type 8 below.)
[ CSO 50 Conference & Awards September 19-21 – Register Today & Bring Your Team! ]
Log-on Type 4: Batch
When Windows executes a scheduled task, the Scheduled Task service first creates a new log-on session for the task so that it can run under the authority of the user account specified when the task was created. When this log-on attempt occurs, Windows logs it as log-on type 4. Other job scheduling systems, depending on their design, may also generate logon events with log-on type 4 when starting jobs.
Log-on type 4 events are usually just innocent scheduled tasks start-ups, but a malicious user could try to subvert security by trying to guess the password of an account through scheduled tasks. Such attempts would generate a log-on failure event where log-on type is 4. But log-on failures associated with scheduled tasks can also result from an administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password.
Log-on Type 5: Service
Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a log-on session for the specified user account, which results in a Logon/Logoff event with log-on type 5. Failed log-on events with log-on type 5 usually indicate the password of an account has been changed without updating the service, but there’s always the possibility of malicious users at work too. However, this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators, and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal.
Log-on Type 7: Unlock
Hopefully, the workstations on your network automatically start a password-protected screen saver when a user leaves his or her computer so that unattended workstations are protected from malicious use. When a user returns to the workstation and unlocks the console, Windows treats this as a log-on and logs the appropriate Logon/Logoff event. But in this case the log-on type will be 7 – identifying the event as a workstation unlock attempt. Failed log-ons with log-on type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.
Log-on Type 8: NetworkCleartext
This log-on type indicates a network log-on like log-on type 3 but where the password was sent over the network in the clear text. Windows Server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are log-ons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases, the log-on process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as log-ons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.
Log-on Type 9: NewCredentials
If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a Logon/Logoff event with log-on type 9. When you start a program with RunAs using /netonly, the program executes on your local computer as the user you are currently logged on as, but for any connections to other computers on the network, Windows connects you to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the log-on event with log-on type 2.
Log-on Type 10: RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or Remote Assistance, Windows logs the log-on attempt with log-on type 10 which makes it easy to distinguish true console log-ons from a remote desktop session. Note, however, that prior to XP, Windows 2000 doesn’t use log-on type 10 and terminal services log-ons are reported as log-on type 2.
Log-on Type 11: CachedInteractive
Windows supports a feature called Cached Logons, which facilitate mobile users. When you are not connected to your organization’s network and attempt to log onto your laptop with a domain account, there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later, when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.
Conclusion
I hope this discussion of log-on types and their meanings helps you as you keep watch on your Windows network and try to piece together the different ways users are accessing your computers. Paying attention to log-on type is important because different log-on types can affect how you interpret log-on events from a security perspective.
For instance a failed network log-on on a server might now be surprising since users must access servers over the network all the time. But a failed network log-on attempt in a workstation security log is different. Why is anyone trying to access someone else’s workstation from over the network? As you can see, it pays to understand the security log.
4641
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
