Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.

Published byAugustine Ward Modified over 9 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

2 Chapter Topics: Logon vs. Account Logon Events Authentication in a Domain Environment Logging within a Domain Environment

3 Logon vs. Account Logon Logon Events –Event ID 5xx (Windows XP) –Event ID 46xx (Windows Vista +) –Log Access to a resource Account Logon Event –Event ID 6xx (Windows XP) –Event ID 47xx (Windows Vista +) –Log Authentication of credentials

4 Common Windows XP Logon Events 528 – Local logon 540 – Network Logon 538 – Logoff 529 – Failed Logon

5 Common Windows Vista + Logon Events 4624 – Local logon 4624 – Network Logon 4634 – Logoff 4625 – Failed Logon

6 Common Logon Events (WinXP)

7

8 Common Logon Events (Win Vista +)

9

10 Authentication Domain accounts are authenticated by DCs Local Accounts authenticated by local computer’s SAM Kerberos is default authentication method in a domain NTLM is default authentication method for local accounts

11 Kerberos Domain Authentication Key Distribution Center (Domain Controller) Client 1. Authentication request based on username and password 2. KDC issues a TGT to client 3. Client presents TGT to KDC with request to access client computer 4. KDC issues service ticket to client valid for file server 5. Based on the properly issued service ticket, the client computer grants the logon request

12 Common Account Logon Events (Win XP) 672 – TGT issued 673 – Service Ticket issued 675 – Failed Kerberos Authentication 680 – NTLM authentication event

13 Common Account Logon Events (Win Vista +) 4768 – TGT issued 4769 – Service Ticket issued 4771 – Failed Kerberos Pre- Authentication 4776 – NTLM authentication event

14 Common Account Logon Events

15

16

17

18

19

20 Domain Logging of a Client being used to Access a File Server 672 673 (Client) 673 (DC) 673 (krbtgt) 540 538 673 (File Server) 4768 4769 (Client) 4769 (DC) 4769 (krbtgt) 4624 4634 4769 (File Server) Domain Controller 4624 528 4624 4634 540 538 Client Computer File Server Vista +Win XP Vista +Win XP Vista +Win XP

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Technical Services & Operations WINDOWS 2008 R2 AD / DC UPGRADE PROJECT.

Technical Services & Operations WINDOWS 2008 R2 AD / DC UPGRADE PROJECT.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
Windows Server 2003 建立網域間之信任關係

Windows Server 2003 建立網域間之信任關係
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.

Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.
1 Audit-Enhanced Authentication in Kerberos Shuo Chen, Daniel R. Simon (mentor) (Shuo’s Internship Project in Microsoft Research) 9/15/2003 CRHC UIUC.

1 Audit-Enhanced Authentication in Kerberos Shuo Chen, Daniel R. Simon (mentor) (Shuo’s Internship Project in Microsoft Research) 9/15/2003 CRHC UIUC.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

Similar presentations

Ads by Google