我知道,对于本地登录(事件ID 4624),还会记录登录类型(交互式,远程等).有没有办法通过只收集域控制器日志来识别登录类型以及域身份验证?即,可以通过他的工作站(通过键盘)进行用户身份验证以及通过网络进行身份验证的用户或服务来生成事件ID(例如4771和4768),如果是这样,是否有办法从日志中了解此信息( 4771或4768)?或者,网络身份验证是否始终覆盖事件ID 4769,从而仅为本地身份验证留下事件ID 4771和4768?
登录类型:3
然后你知道这是一个网络登录.当用户(或计算机)登录到AD域时,这些事件发生在域控制器上,所以是的,收集域控制器就是你想要做的.
•2: Interactive logon — This is used for a logon at the console of a
computer. A type 2 logon is logged when you attempt to log on at a
Windows computer’s local keyboard and screen.•3: Network logon — This
logon occurs when you access remote file shares or printers. Also,
most logons to Internet information Services (IIS) are classified as
network logons,other than IIS logons that use the basic
authentication protocol (those are logged as logon type 8).•4: Batch logon — This is used for scheduled tasks. When the Windows Scheduler
service starts a scheduled task,it first creates a new logon session
for the task,so that it can run in the security context of the
account that was specified when the task was created.•5: Service logon — This is used for services and service accounts that log > on to start a service. When a service starts,Windows first creates a logon
session for the user account that is specified in the service
configuration.•7: Unlock—This is used whenever you unlock your
Windows machine.•8: Network clear text logon—This is used when you
log on over a network and the password is sent in clear text. This
happens,for example,when you use basic authentication to
authenticate to an IIS server.•9: New credentials-based logon—This is
used when you run an application using the RunAs command and specify
the /netonly switch. When you start a program with RunAs using
/netonly,the program starts in a new logon session that has the same
local identity (this is the identity of the user you are currently
logged on with),but uses different credentials (the ones specified in
the runas command) for other network connections. Without /netonly,
Windows runs the program on the local computer and on the network as
the user specified in the runas command,and logs the logon event with
type 2.•10: Remote Interactive logon—This is used for RDP-based
applications like Terminal Services,Remote Desktop or Remote
Assistance.•11: Cached Interactive logon—This is logged when users log on using cached credentials,which basically means that in the absence of a domain controller,you can still log on to your local machine using your domain credentials. Windows supports logon using cached credentials to ease the life of mobile users and users who are often disconnected.
