Audit account logon events

Acronyms

  • None

Preferred Term

  • None

Non-standard Terms

  • None

Definitions

Type Definition Sources
Configurable Item This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. Authentication of a domain user account on a domain controller generates an account logon event that is logged in the domain controller's Security log. Authentication of a local user on a local computer generates a logon event that is logged in the local Security log. No account logoff events are logged. The following table includes the important security events that this policy setting logs in the Security log. These event IDs can be useful when you want to create custom alerts to monitor any software suite, such as Microsoft Operations Manager (MOM). Table 4.3 Account Logon Events Event ID Event description 672 An authentication service (AS) ticket was successfully issued and validated. In Windows Server 2003 with SP1, the type of this event will be Success Audit for successful requests or Failure Audit for failed requests. 673 A ticket granting service (TGS) ticket was granted. A TGS is a ticket that is issued by the Kerberos version 5 TGS that allows a user to authenticate to a specific service in the domain. Windows Server 2003 with SP1 will log successes and failures for this event type. 674 A security principal renewed an AS ticket or a TGS ticket. 675 Pre-authentication failed. This event is generated on a Key Distribution Center (KDC) when a user enters an incorrect password. 676 Authentication ticket request failed. This event is not generated by Windows Server 2003 with SP1. Other Windows versions use this event to indicate an authentication failure that was not due to incorrect credentials. 677 A TGS ticket was not granted. This event is not generated by Windows Server 2003 with SP1, which uses a failure audit event with ID 672 for this case. 678 An account was successfully mapped to a domain account. 681 Logon failure. A domain account logon was attempted. This event is only generated by domain controllers. 682 A user has reconnected to a disconnected Terminal Server session. 683 A user disconnected a Terminal Server session but did not log off. (used 0 times in citations and controls)
  • Per ISO 704:2009 methodology
Configurable Item Within the Windows server environment relates to the ability to track local logon events on a server or workstation. This captures logon events on the local system on which the logons occur, because tracking a large network's logon activity one system at a time is impractical. (used 0 times in citations and controls)
  • Per ISO 704:2009 methodology
Configurable Item The prescribed GPOs from Microsoft include settings that configure the audit categories present in previous versions of Windows. If you use the script and the GPOs included with this security guidance, these settings will not apply to computers running Windows Vista. The GPOs intended for use in enterprise environments have been designed to work with Windows XP based computers. Settings for audit categories are included in these GPOs so that computers running Windows XP in your environment receive the recommended audit policy settings for Windows XP–based computers. You can configure the Audit policy settings in Windows Vista at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy (used 0 times in citations and controls)
  • Per ISO 704:2009 methodology

Other Forms

Type Other Form
Plural Audit logon events
Plural Audit account logon events
Plural Possessive Audit logon events'
Plural Possessive Audit account logon events'
Possessive Audit logon events'
Possessive Audit account logon events'

Relationships

Loading...

Common Controls

Displaying Controls in which this term is tagged – Show all Controls containing this term regardless of tagging
Displaying Controls containing this term – Show only Controls in which this term is tagged
Loading...
ID Control
{{ control.id }} {{ control.name }}
None

Citations

Displaying Citations in which this term is tagged – Show all Citations containing this term regardless of tagging
Displaying Citations containing this term – Show only Citations in which this term is tagged
Loading...
AD ID Authority Document CT ID Reference Guidance CC ID
{{ citation.authority_document.id }} {{ citation.authority_document.common_name }} {{ citation.id }} {{ citation.reference }} {{ citation.guidance_as_tagged || citation.guidance }} {{ citation.control.id }} None
None