일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
- 작업관리자
- dsquery
- Windows Server 2016
- LiveKD
- 터키여행
- Nested VM
- iSCSI target
- failover cluster
- paged pool
- Hyper-V
- windbg
- SQL Server 2012R2 FCI
- windows debugging tool
- nonpaged pool
- MSCS on VMWare
- windows update
- Session space
- cluster node as Domain controller
- Local TempDB
- 인문고전
- 클러스터
- 프로세스 CPU 사용량
- Windows Server 2008
- Windows Server 2016 Hyper-v Cluster
- Xperf
- ftp7.5 장애조치 클러스터
- windows media service
- FTP7.5
- SQL Server 2008
- 안철수
- Today
- Total
류짱:Beyond MySelf
로그온 이벤트 감사 본문
로그온 보안 이벤트 감사를 통해 도메인 혹은 로컬 사용자 로그온 또는 로그오프의 각 인스턴스를 감사할 수 있습니다.
해당 머신에 대한 보안 감사를 설정 함으로서 배치 로그온이나 네트워크 로그온 그리고 터미널 서버로 접근하는 사용 자들에 대한 감사를 할 수 있습니다.
[로컬 보안 감사 정책 설정]
주요 이벤트와 로그온 타입은 아래의 표를 참조 하시기 바랍니다.
이 값을 감사 안 함으로 설정하려면 이 정책 설정의 속성 대화 상자에서 이 정책 설정 정의 확인란을 선택하고 성공 및 실패 확인란 선택을 취소합니다. 기본값: 성공
[보안 이벤트 샘플]
위의 이벤트 등록 정보에서는 사용자가 네트워크를 통해 로그온(로그온 유형 3)을 하였고 정상적으로 로그 오프(538)가 되었음을 확인 할 수 있습니다.
아래의 보안 이벤트의 Logon Event 와 Logon Type리스트를 통해 사용자의 로그온 형태를 더욱 자세하게 파악 할 수 있습니다. Logon Events Description 528 A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. 529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. 530 Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. 531 Logon failure. A logon attempt was made using a disabled account. 532 Logon failure. A logon attempt was made using an expired account. 533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. 534 Logon failure. The user attempted to log on with a type that is not allowed. 535 Logon failure. The password for the specified account has expired. 536 Logon failure. The Net Logon service is not active. 537 Logon failure. The logon attempt failed for other reasons. Note · In some cases, the reason for the logon failure may not be known. 538 The logoff process was completed for a user. 539 Logon failure. The account was locked out at the time the logon attempt was made. 540 A user successfully logged on to a network. 541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. 542 A data channel was terminated. 543 Main mode was terminated. Note · This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination. 544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. 545 Main mode authentication failed because of a Kerberos failure or a password that is not valid. 546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. 547 A failure occurred during an IKE handshake. 548 Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. 549 Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. 550 Notification message that could indicate a possible denial-of-service attack. 551 A user initiated the logoff process. 552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user. 682 A user has reconnected to a disconnected terminal server session. 683 A user disconnected a terminal server session without logging off. Note · This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.
[Logon Event]
Logon type |
Logon title |
Description |
2 |
Interactive |
A user logged on to this computer. |
3 |
Network |
A user or computer logged on to this computer from the network. |
4 |
Batch |
Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 |
Service |
A service was started by the Service Control Manager. |
7 |
Unlock |
This workstation was unlocked. |
8 |
NetworkCleartext |
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 |
NewCredentials |
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 |
RemoteInteractive |
A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 |
CachedInteractive |
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |