windows登录类型及安全日志解析Windows login type and security log resolution.docx
《windows登录类型及安全日志解析Windows login type and security log resolution.docx》由会员分享,可在线阅读,更多相关《windows登录类型及安全日志解析Windows login type and security log resolution.docx(7页珍藏版)》请在冰豆网上搜索。
windows登录类型及安全日志解析Windowslogintypeandsecuritylogresolution
windows登录类型及安全日志解析(Windowslogintypeandsecuritylogresolution)
Windowslogintypeandsecuritylogresolution
First,theWindowslogintype
IfyoupayattentiontothesecuritylogsystemofWindows,inthedescriptionofthoseeventsyouwillfindinsidethe"logtype"isnotallthesame,exceptfortheinteractivelogononthekeyboard(logtype1)othertypes?
Yes,Windowsinordertoallowyoutogetmorevaluableinformationfromthelog,itsegmentsthemanylogintypes,sothatyoucandistinguishexactlyfromthelocalloginlogin,orfromthenetworklogin,loginandothermore.Knowingtheseloginmethodswillhelpyoufindsuspicioushackersfromtheeventlogsandbeabletodeterminethewaytheyattack.Let'stakeacloserlookatthelogintypeofWindows.
Logintype2:
interactivelogin(Interactive)
Thisshouldbethefirstthingyouthinkoflogin,theso-calledinteractivelogonreferstotheuserinthecomputerconsolelogin,alsoisinthelocalloginonthekeyboard,butdon'tforgettologinviaKVMstillbelongstotheinteractivelogon,althoughitisbasedonthenetwork.
Logontype3:
network(Network)
Whenyouaccessacomputerfromthenetwork,inmostcases,Windowsiswrittenastype3,andthemostcommoniswhenyouconnecttoasharedfolderorshareaprinter.Inaddition,inmostcases,loggingintoIISonthenetworkisalsorecordedasthistype,buttheIISloginforthebasicauthenticationisanexception,anditwillberememberedastype8,whichwillbedescribedbelow.
Logintype4:
batchprocessing(Batch)
WhenWindowsrunsascheduledtask,taskschedulerserviceforthistaskwillfirstcreateanewloginsessionsothatitcanbeconfiguredinthistaskuseraccountloginoperation,whenthisoccurs,theWindowsinthelogrecordfortype4,thetaskofthesystemtype.Thedesigndependsonit,atthebeginningoftheworkcanalsoproduce4typesofloginevents,type4usuallyindicatesaplantostartthetasklog,butalsomaybeamalicioususerthroughthetaskschedulertoguesstheuser'spassword,thisattemptwillhaveatype4loginfailureevents,butthismayalsofailedtologonduetotheplannedtaskstheuserpasswordcouldnotsynchronizechangescaused,suchasuserpasswordchange,andforgettochangeintheschedule.
Logontype5:
Service(Service)
Similarplansandtasks,eachserviceisconfiguredtoruninaspecificuseraccount,whenaservicestarts,Windowsfirsttocreatealoginsessionthisspecificuser,thiswillbedenotedastype5,type5failureusuallyindicatestheuser'spasswordhasbeenchangedbutdidn'tgethereofcourse,itmayalsobeupdatedbyamalicioususerpasswordguessingcause,butthispossibilityisverysmall,becausethecreationofanewserviceoreditanexistingservicebydefaultrequiretheadministratororserversoperatorsidentity,andtheidentityofthemalicioususers,haveenoughabilitytodohisthingandhavenoneedtoguessthepasswordserviceeffort.
Logintype7:
Unlock(Unlock)
Youmaywanttowhenauserleaveshiscomputerwhenthecorrespondingworkstationautomaticallystartapasswordprotectedscreensaver,whenausercomesbacktounlock,Windowsitisasignthatunlockoperationtype7,type7failedloginthatsomeoneenteredthewrongpasswordorsomeonetryingunlockthecomputer.
Logontype8:
networkplaintext(NetworkCleartext)
Thissignindicatesthatthisisaliketype3networklogin,buttheloginpasswordonthenetworkthroughtheplaintexttransmission,theWindowsServerserviceisnotallowedbyexplicitlyverifytheconnectiontothesharedfolderorprinter,asfarasIknow,onlywhentheAdvapifromaASPscriptoraloginusersusebasicauthenticationloginIISisthelogontype.TheloginprocesscolumnliststheAdvapi.
Logintype9:
newcertificate(NewCredentials)
Whenyouusethe/NetonlyparameterwiththeRUNAScommandtorunaprogram,RUNAStothelocalcurrentusertorunit,butiftheprogramneedstoconnecttoothercomputersonthenetwork,thenyouwillbespecifiedintheRUNAScommandtheuserconnection,andWindowswillmakethelogrecordedastype9,ifRUNAScommandwithoutthe/Netonlyparameter,thentheprogramwillruntouserspecified,butintheloglogtypeis2.
Logintype10:
remoteinteraction(RemoteInteractive)
Whenyouaccessthecomputerthroughterminalservices,remotedesktoporremoteassistance,
Windowswillbemarkedastype10todifferentiatefromtherealconsolelogin,andnotethatthepreviousversionofXPdoesnotsupportthistypeoflogin,suchasthatWindows2000stillrememberstheterminalserviceloginastype2.
Logintype11:
cacheinteraction(CachedInteractive)
Windowssupportsacacheloginfunctioniscalled,thisfunctionisparticularlyadvantageousformobileusers,suchasinyourownnetworkasadomainuserlogintologondomaincontrollerwillusethisfunction,bydefault,theWindowscache10HASHinteractivedomainlogoncredentialsrecently,ifyoulaterwhenyouwithaadomainuserloginandnodomaincontrollerisavailable,WindowswillusetheHASHtoverifyyouridentity.
TheaboveWindowslogontype,butthedefaultWindows2000isnologsecurity,youmustfirstenablethecomputerconfiguration/Windowsgrouppolicysettings/securitysettings/localstrategy/auditstrategy"underthe"auditlogevent"toseetheaboverecordinformation.Ihopethesedetailedinformationwillhelpyoubetterunderstandthesystemandmaintainthestabilityofthenetwork.
Two,logrecords
'*************************************************************************
'logontotheserverviatheterminal(administratoraccountlogin)
'*************************************************************************
2006-5-98:
24:
01Securitysuccessfullyauditedlogin/logout528COMPUTERNAME\clientUserNameCOMPUTERNAMEloginsuccessful:
Username:
clientUserName
Domains:
COMPUTERNAME
LogontoID:
(0x0,0x17F4C31B)
Logintype:
2
Logonprocess:
User32
Authenticationpackage:
Negotiate
WorkstationName:
COMPUTERNAME"
2006-5-98:
24:
01Securitysuccessfullyauditedtheaccountlogin680NTAUTHORITY\SYSTEMCOMPUTERNAME"accountusedforlogin:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Accountname:
ClientUserName
Workstation:
COMPUTERNAME
"
2006-5-98:
23:
44Securitysuccessfullyauditssystemevents515NTAUTHORITY\SYSTEMCOMPUTERNAME.Thetrustedloginprocesshasbeenregisteredatthelocalsecuritymechanism.Theloginprocesswillbetrustedtosubmittheloginapplication.
Loginprocessname:
Winlogon\MSGina"
'*************************************************************************
'ATplan'IISservicerestart(script)securitylog(IUSR_COMPUTERNAME)
'*************************************************************************
2006-5-97:
00:
34Securitysuccessfullyauditedlogin/logout540COMPUTERNAME\IUSR_COMPUTERNAMECOMPUTERNAME"successfulnetworklogon.":
Username:
IUSR_COMPUTERNAME
Domains:
COMPUTERNAME
LogontoID:
(0x0,0x17BF45CB)
Logintype:
3
Logonprocess:
IIS
Authenticationpackage:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
WorkstationName:
COMPUTERNAME"
2006-5-97:
00:
34Securitysuccessfullyauditedtheaccountlogin680NTAUTHORITY\SYSTEMCOMPUTERNAME"accountusedforlogin:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Accountname:
IUSR_COMPUTERNAME
Workstation:
COMPUTERNAME
"
2006-5-97:
00:
34Securitysuccessfullyauditssystemevents515NTAUTHORITY\SYSTEMCOMPUTERNAME.Thetrustedloginprocesshasbeenregisteredatthelocalsecuritymechanism.Theloginprocesswillbetrustedtosubmittheloginapplication.
Loginprocessname:
\inetinfo.exe"
2006-5-97:
00:
16Securitysuccessfullyauditedlogin/logout538COMPUTERNAME\IUSR_COMPUTERNAMECOMPUTERNAME"userlogout":
Username:
IUSR_COMPUTERNAME
Domains:
COMPUTERNAME
LogontoID:
(0x0,0x158DFFBF)
Logintype:
3
"
'*************************************************************************
Plantask,runprogramlog(adminaccountnumber)
'*************************************************************************
2006-5-91:
08:
04Securitysuccessfullyauditedlogin/logout538COMPUTERNAME\clientUserNameCOMPUTERNAME"userlogout":
Username:
clientUserName
Domains:
COMPUTERNAME
LogontoID:
(0x0,0x167C8DC4)
Logintype:
4
"
2006-5-91:
00:
00Securitysuccessfullyauditedlogin/logout528COMPUTERNAME\clientUserNameCOMPUTERNAMEloginsuccessful:
Username:
clientUserName
Domains:
COMPUTERNAME
LogontoID:
(0x0,0x167C8DC4)
Logintype:
4
Logonprocess:
Advapi
Authenticationpackage:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
WorkstationName:
COMPUTERNAME"
2006-5-91:
00:
00Securitysuccessfullyauditedtheaccountlogin680NTAUTHORITY\SYSTEMCOMPUTERNAME"accountusedforlogin:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Accountname:
ClientUserName
Workstation:
COMPUTERNAME
"
'*************************************************************************
'reconnecttoserverafterdisconnectingfromserver
'*************************************************************************
2006-5-419:
24:
24Securitysuccessfullyauditedlogin/logout682COMPUTERNAME\clientUserNameCOMPUTERNAME.Thesessionwasreconnectedtowinstation:
Username:
clientUserName
Domains:
COMPUTERNAME
LogontoID:
(0x0,0x37A9068)
Sessionname:
RDP-Tcp#3
ClientName:
clientname(computername)
Clientaddress:
clientaddress(IP)"
2006-5-419:
24:
23Securitysuccessfullyauditedlogin/logout683COMPUTERNAME\clientUserNameCOMPUTERNAMEsessioninterruptconnectionfromwinstation:
Username:
clientUserName
Domains:
COMPUTERNAME
LogontoID:
(0x0,0xA28751E)
Sessionname:
Unknown
ClientName:
clientname(computername)
Clientaddress:
clientaddress(IP)"
2006-5-419:
24:
20Securitysuccessfu