Jump to content

Recommended Posts

Posted

Dears,

    I am checking Audit logs in event viewer on my KSC windows server. I have found some logon events (ID 4624) which are based ont NTLM. Does it happen normally from clients to the KSC server or it can be unauthorized access? Here is the event details:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Information:
    Logon Type:        3
    Restricted Admin Mode:    -
    Virtual Account:        No
    Elevated Token:        No

Impersonation Level:        Impersonation

New Logon:
    Security ID:        "a user in our domain" (I have sealed it)
    Account Name:        "the username"
    Account Domain:        "our domain"
    Logon ID:        0x19565D21
    Linked Logon ID:        0x0
    Network Account Name:    -
    Network Account Domain:    -
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x0
    Process Name:        -

Network Information:
    Workstation Name:    "client's computer name"
    Source Network Address:    "client's IP"
    Source Port:        63675

Detailed Authentication Information:
    Logon Process:        NtLmSsp 
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    NTLM V2
    Key Length:        128

 

Thanks in advance

  • 2 weeks later...

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...