2010年5月27日 星期四

Windows Login Type

Windows Logon Type

工作需要 總是會要記一堆東西...

Logon type 2 Interactive 本地登錄。最常見的登錄方式。
Logon type 3 Network 網絡登錄- 最常見的是訪問網絡共享文件夾或打印機。 IIS的認證也是Type 3
Logon type 4 Batch 計劃任務
Logon Type 5 Service 服務
某些服務是用一個域帳號來運行的,出現Failure常見的情況是管理員更改了域帳號密碼,但是忘記重設Service中的帳號密碼。
Logon Type 7 Unlock 解除屏幕鎖定
很多公司都有這樣的安全設置:當用戶離開屏幕一段時間後,屏保程序會鎖定計算機屏幕。解開屏幕鎖定需要鍵入用戶名和密碼。此時產生的日誌類型就是Type 7
Logon Type 8 NetworkCleartext 網絡明文登錄-- 通常發生在IIS 的ASP登錄。不推薦
Logon Type 9 NewCredentials 新身份登錄-- 通常發生在RunAS方式運行某程序時的登錄驗證。
Logon Type 10 RemoteInteractive 遠程登錄-- 比如Terminal service或者RDP方式。但是Windows 2000是沒有Type10的,用Type 2。 WindowsXP/2003起有Type 10
Logon Type 11 CachedInteractive 緩存登錄
為方便筆記本電腦用戶,Windows會緩存前10次成功登錄的登錄。

以上是簡字翻成繁體我快昏倒..還好有找到以下原文

附原文:
The logon/logoff category of the Windows security log gives you the ability to monitor all attempts to access the local computer. In this article I’ll examine each logon type in greater detail and show you how some other fields in Logon/Logoff events can be helpful for understanding the nature of a given logon attempt.

Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the other events in this category identify different reasons for a logon failure. However, just knowing about a successful or failed logon attempt doesn’t fill in the whole picture. Because of all the services Windows offers, there are many different ways you can logon to a computer such as interactively at the computer’s local keyboard and screen, over the network through a drive mapping or through terminal services (aka remote desktop) or through IIS. Thankfully, logon/logoff events specify the Logon Type code which reveals the type of logon that prompted the event.

Logon Type 2 – Interactive
This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such.

Logon Type 3 – Network
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)

Logon Type 4 – Batch
When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Other job scheduling systems, depending on their design, may also generate logon events with logon type 4 when starting jobs. Logon type 4 events are usually just innocent scheduled tasks startups but a malicious user could try to subvert security by trying to guess the password of an account through scheduled tasks. Such attempts would generate a logon failure event where logon type is 4. But logon failures associated with scheduled tasks can also result from an administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password.

Logon Type 5 – Service
Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account has been changed without updating the service but there’s always the possibility of malicious users at work too. However this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal.

Logon Type 7 – Unlock
Hopefully the workstations on your network automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.

Logon Type 8 – NetworkCleartext
This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.

Logon Type 9 – NewCredentials
If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. When you start a program with RunAs using /netonly, the program executes on your local computer as the user you are currently logged on as but for any connections to other computers on the network, Windows connects you to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the logon event with logon type 2.

Logon Type 10 – RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.

Logon Type 11 – CachedInteractive
Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to the your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.

Conclusion
I hope this discussion of logon types and their meanings helps you as you keep watch on your Windows network and try to piece together the different ways users are accessing your computers. Paying attention to logon type is important because different logon types can affect how you interpret logon events from a security perspective. For instance a failed network logon on a server might now be surprising since users must access servers over the network all the time. But a failed network logon attempt in a workstation security log is different. Why is anyone trying to access someone else’s workstation from over the network? As you can see, it pays to understand the security log.

2010年5月24日 星期一

Teamviewer Block

今日閒來無事,抓了一下 Teamviewer 此套好用工具的網路封包。

因此將此軟體服務 Port 加入防火牆鎖定。

其 Port 為 TCP 5938 將此加入防火牆阻擋清單即可。

一開始原本是想要利用 IP 的方式阻擋,但是檔了一個軟體換跳一個。一整個被耍...

我們公司又沒有採買 App Filter 所以由軟體執行 Port 去做阻擋就對啦。

小弟公司最近有小朋友要遠端回來的需求,因此利用此鎖定加上防火牆 Schedule 即可。

會用這套是因為...傻瓜也會用 就不用再次做教育訓練的必要 XD

2010年5月23日 星期日

Windows Logon Event ID Log Type

有助於伺服器維護時的系統查核保養


Event IDDescription

528

Successful logon.

529

Logon failure. Unknown user name or bad password.

530

Logon failure. Account logon time restriction violation.

531

Logon failure. The account is currently disabled.

532

Logon failure. The specified user account has expired.

533

Logon failure. The user is not allowed to log on at this computer.

534

Logon failure. The user has not been granted the requested logon type at this computer.

535

Logon failure. The specified account’s password has expired.

536

Logon failure. The NetLogon component is not active.

537

Logon failure. An unexpected error occurred during logon.

538

User logoff. This event is generated when the logoff process is complete. A logoff is considered complete when the associated logon session object is deleted, which occurs after all tokens associated with the logon session are closed. This can take an arbitrarily long time; this event should not be used to calculate the total logon duration. Instead, use event 551.

539

Logon failure. Account locked out.

540

Successful network logon.

541

IPSec security association established.

542

IPSec security association ended. Mode: Data Protection (Quick mode).

543

IPSec security association ended. Mode: Key Exchange (Main mode).

544

IPSec security association establishment failed because peer could not authenticate. The certificate trust could not be established.

545

IPSec peer authentication failed.

546

IPSec security association establishment failed because peer sent invalid proposal.

547

IPSec security association negotiation failed.

548

Logon failure. Domain security identifier (SID) is inconsistent. This event is generated when a user account from a trusted domain attempts to authenticate, but the domain SID does not match the SID stored in the Trusted Domain Object (TDO).

549

Logon failure. All SIDs were filtered out. During authentication across forests, SIDs corresponding to untrusted namespaces are filtered out. This event is generated when all SIDs are filtered. This event is generated on the Kerberos Key Distribution Center (KDC).

This event is not generated on Windows Server 2003.

550

Notification message that can indicate a possible denial-of-service attack.

551

User-initiated logoff. This event is generated when the user initiates the logoff process. When the logoff process is complete, event 538 is logged.

552

Successful logon. This event is generated when a user logs on with explicit credentials while already logged on as another user. This event is logged when using the RunAs tool.

553

Logon failure. This event is generated when an authentication package detects a replay attack.