Windows logon auditing is an important activity for diverse security and compliance needs. Businesses may require a full and accurate logon audit to:
- perform accurate forensics
- demonstrate they are protecting data from unauthorized access – for regulatory compliance
- verify the attendance / working hours of any employee
- monitor specific session types such as remote desktop sessions or VPN sessions
- quickly see who has last logged on to a particular machine
- easily identify failed logon attempts where access is not permitted
- view the complete logon history of any user or machine in the domain
Auditing Windows Logon Events
Logon session auditing however can be tricky. Native event logs are difficult to understand and too cumbersome to manually audit. Over 200 different event logs can be recorded – whether an informational event, a warning, an error or a security event. Windows generates these events not only when a user physically logons to the system, but when accessing a shared resource from a remote computer.
Event Viewer and its Shortcomings
From Windows Server 2008 these event logs were redesigned in an XML-based log format. For example, the event ID for a user logon event is 4624, an account failed to logon is 4625, and an attempted logon using explicit credentials is 4648.
The graphical user interface tool that most administrators are familiar with when it comes to event logs is Windows Event Viewer but It’s important to remember, Microsoft didn’t design Event Viewer to be an auditing solution; it was designed to simply provide IT pros a centralized application in which to view event data.
- Too much detail –The magnitude of the number of events, how quickly they come in, and how difficult it is to find anything in that haystack-like pile of log entries.
- Not enough help – Event logging is about consolidating the raw event data and making it available centrally. But to find out something as simple requires much more work than just skimming through the event log data; it requires meticulous research into specific field values within multiple log entries, all to “puzzle piece” your way to a potential answer. A single action in the file system can generate 5-10 log entries, each documenting a different aspect of what IT would consider a single activity.
- Way too manual – While event viewer does leverage some “automation”- such as WMI filtering or the leveraging of the Task Scheduler to send alerts, but by and large, Event Viewer requires manual work to obtain the needed audit data.
- Not audit-friendly – Auditors like to ask specific questions. Obtaining the answer to this seemingly simple question requires some complex filtering, consolidation of events, and digging into the event results to find the answer. In reality, Event Viewer isn’t designed to specifically meet the needs of auditors; there is no delegation of log access to given an external auditor the ability to run their own queries, there is no intelligent way to query the event data, and the data itself is presented at the operating system level and not at a level where an auditor can gain insight into what’s actually happening within your environment.
With an overwhelming amount of data being contained in so many individual logs on each of their servers, administrators have had to learn more efficient ways to retrieve the specific information they’re looking for.
Reporting on Windows Logon Events Far Beyond Native Auditing
UserLock offers extensive session auditing and reporting on all windows logon activity across the whole network — far beyond what Microsoft includes in Windows Server and Active Directory auditing. Agent deployment is a breeze and pricing makes it affordable for SMBs and enterprises alike.
- Record and report on all user connection events to provide a central audit across the whole network
- Detailed reports can be generated on any or all session types for select time periods, users and groups
- Filter and sort the audit to show only the most pertinent results for your business
- Achieve tamper-proof auditing as all administrator activity is itself stringently audited and securely archived
- Get scalable auditing that works whether you have 100 or 100,000 users
Two Factor Authentication & Access Management for Windows Logon
Of course, auditing alone isn’t enough for any businesses that are serious about protecting logon access. UserLock makes it easy to secure all Windows logon activity.
- Enable customized two-factor authentication on Windows logon, RDP and VPN connections
- Combine with restrictions based on login context
- Get real-time visibility into all user activity
- Interact remotely with any user session, direct from the console.
So if you are looking to better protect Windows logins beyond a simple password and native auditing, download now the fully functional free trial of UserLock.
The post Windows Logon Audit Far Beyond Native Windows Security appeared first on Enterprise Network Security Blog from IS Decisions.
*** This is a Security Bloggers Network syndicated blog from Enterprise Network Security Blog from IS Decisions authored by Chris Bunn. Read the original post at: https://www.isdecisions.com/blog/it-security/windows-logon-audit-far-beyond-native-windows-security/