| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 |
- FTP7.5
- LiveKD
- paged pool
- SQL Server 2008
- Windows Server 2008
- dsquery
- 작업관리자
- 프로세스 CPU 사용량
- windows update
- 인문고전
- cluster node as Domain controller
- MSCS on VMWare
- 클러스터
- Session space
- Hyper-V
- windows media service
- 안철수
- Xperf
- ftp7.5 장애조치 클러스터
- Windows Server 2016
- nonpaged pool
- windbg
- Nested VM
- SQL Server 2012R2 FCI
- failover cluster
- Windows Server 2016 Hyper-v Cluster
- Local TempDB
- 터키여행
- iSCSI target
- windows debugging tool
- Today
- Total
류짱:Beyond MySelf
로그온 이벤트 감사 본문
로그온 보안 이벤트 감사를 통해 도메인 혹은 로컬 사용자 로그온 또는 로그오프의 각 인스턴스를 감사할 수 있습니다.
해당 머신에 대한 보안 감사를 설정 함으로서 배치 로그온이나 네트워크 로그온 그리고 터미널 서버로 접근하는 사용 자들에 대한 감사를 할 수 있습니다.
[로컬 보안 감사 정책 설정]
주요 이벤트와 로그온 타입은 아래의 표를 참조 하시기 바랍니다.
이 값을 감사 안 함으로 설정하려면 이 정책 설정의 속성 대화 상자에서 이 정책 설정 정의 확인란을 선택하고 성공 및 실패 확인란 선택을 취소합니다. 기본값: 성공
[보안 이벤트 샘플]
위의 이벤트 등록 정보에서는 사용자가 네트워크를 통해 로그온(로그온 유형 3)을 하였고 정상적으로 로그 오프(538)가 되었음을 확인 할 수 있습니다.
아래의 보안 이벤트의 Logon Event 와 Logon Type리스트를 통해 사용자의 로그온 형태를 더욱 자세하게 파악 할 수 있습니다.
[Logon Event]
|
Logon Events |
Description |
|
528 |
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
|
529 |
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
|
530 |
Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
|
531 |
Logon failure. A logon attempt was made using a disabled account. |
|
532 |
Logon failure. A logon attempt was made using an expired account. |
|
533 |
Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. |
|
534 |
Logon failure. The user attempted to log on with a type that is not allowed. |
|
535 |
Logon failure. The password for the specified account has expired. |
|
536 |
Logon failure. The Net Logon service is not active. |
|
537 |
Logon failure. The logon attempt failed for other reasons. Note · In some cases, the reason for the logon failure may not be known. |
|
538 |
The logoff process was completed for a user. |
|
539 |
Logon failure. The account was locked out at the time the logon attempt was made. |
|
540 |
A user successfully logged on to a network. |
|
541 |
Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
|
542 |
A data channel was terminated. |
|
543 |
Main mode was terminated. Note · This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination. |
|
544 |
Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. |
|
545 |
Main mode authentication failed because of a Kerberos failure or a password that is not valid. |
|
546 |
IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. |
|
547 |
A failure occurred during an IKE handshake. |
|
548 |
Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. |
|
549 |
Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. |
|
550 |
Notification message that could indicate a possible denial-of-service attack. |
|
551 |
A user initiated the logoff process. |
|
552 |
A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
|
682 |
A user has reconnected to a disconnected terminal server session. |
|
683 |
A user disconnected a terminal server session without logging off. Note · This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server. |
|
Logon type |
Logon title |
Description |
|
2 |
Interactive |
A user logged on to this computer. |
|
3 |
Network |
A user or computer logged on to this computer from the network. |
|
4 |
Batch |
Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
|
5 |
Service |
A service was started by the Service Control Manager. |
|
7 |
Unlock |
This workstation was unlocked. |
|
8 |
NetworkCleartext |
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
|
9 |
NewCredentials |
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
|
10 |
RemoteInteractive |
A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
|
11 |
CachedInteractive |
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
