Jump to content

Audit logs

Recommended Posts


    I am checking Audit logs in event viewer on my KSC windows server. I have found some logon events (ID 4624) which are based ont NTLM. Does it happen normally from clients to the KSC server or it can be unauthorized access? Here is the event details:

An account was successfully logged on.

    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Information:
    Logon Type:        3
    Restricted Admin Mode:    -
    Virtual Account:        No
    Elevated Token:        No

Impersonation Level:        Impersonation

New Logon:
    Security ID:        "a user in our domain" (I have sealed it)
    Account Name:        "the username"
    Account Domain:        "our domain"
    Logon ID:        0x19565D21
    Linked Logon ID:        0x0
    Network Account Name:    -
    Network Account Domain:    -
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x0
    Process Name:        -

Network Information:
    Workstation Name:    "client's computer name"
    Source Network Address:    "client's IP"
    Source Port:        63675

Detailed Authentication Information:
    Logon Process:        NtLmSsp 
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    NTLM V2
    Key Length:        128


Thanks in advance

Link to comment
Share on other sites

  • 2 weeks later...

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...