Re: auditing question
From: Marin Marinov (mlmarinov_at_askme.ca)
Date: 05/18/04
- Next message: Jonathan Maltz [MS-MVP]: "Re: Can users that reboot a server be tracked?"
- Previous message: cfanetworks: "Can users that reboot a server be tracked?"
- In reply to: djc: "auditing question"
- Next in thread: djc: "Re: auditing question"
- Reply: djc: "Re: auditing question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 May 2004 17:43:37 -0400
<snip>
You're pretty much on the right track ;)
1)
"Account logon" events are generated in the Security log of the machine
performing the authentication, i.e. the one that has access to the
accounts (thus "account" logon).For domain accounts this would be the
authenticating DC, for local - the local machine:
"Logon" events are generated in the Security log of the machine which
you access to consume resources, regardless of where your account
resides:
<boring technical details>
A so called "access token" is built when you access a resource. Every
access to a resource on another machine (share,printer,etc) results in
you being authenticated before this machine so it knows who you are and
what security to apply. For it to successfully control your access, the
machine builds an access token containing you and all the groups you
belong to. This token is then used when the machine "impersonates" you
when you request access to resources. "Audit logon events" monitors the
creation of the *access token*, "Audit account logon" monitors the
*authentication* of the user account.
</boring technical details>
2) In your case, yes, you have to use it in combination with "Audit
object access". Remember, that authentication against the server
succeeded - it has created an access token for you, impersonated you
trying to access the share, and received access denied due to
insufficient permissions. But "logon" succeeded.
For example, if you deny logon locally on a machine to a domain user and
try to log on with that user you'll end up with:
-"Audit account logon"-resulting success event in the DC's Security log
-"Audit logon"-resulting failure event in the machine's Security log.
And if you've read this far I hope this cleared the matter ;) Let me
know if I got too carried away and blurred the essence.
HTH
-- Cheers, Marin Marinov MCT, MCSE 2003/2000/NT4.0, MCSE:Security 2003/2000, MCP+I - This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Jonathan Maltz [MS-MVP]: "Re: Can users that reboot a server be tracked?"
- Previous message: cfanetworks: "Can users that reboot a server be tracked?"
- In reply to: djc: "auditing question"
- Next in thread: djc: "Re: auditing question"
- Reply: djc: "Re: auditing question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
