MORE INFORMATION
Here is a typical audit output viewing a server startup logon pattern:
Username Type Date
--------------------------------------------------
1 *** Service 12-01-92 05:01pm
2 NETLOGON Installed
3 *** Service 12-01-92 05:02pm
4 ALERTER Installed
5 *** Service 12-01-92 05:02pm
6 REPLICATOR Installed
7 *** Service 12-01-92 05:02pm
8 SERVER Installed
9 *** Server 12-01-92 05:02pm
10 Server started
11 BILLG Session 12-01-92 05:02pm
12 Logon Admin
13 BILLG Log on to network 12-01-92 05:02pm
14 Logon Admin
15 BILLG Session 12-01-92 05:02pm
16 Logoff normal, Duration: Less than one second
17 BILLG Session 12-01-92 05:02pm
18 Logon Admin
The command completed successfully.
The 18 lines of this audit record were generated from a STARTUP.CMD
file containing the following lines:
net start server /auditing:yes
net logon billg password /y
Note: Lines have been inserted in the audit log (shown above) to
provide a logical grouping of transaction information with two
transaction lines per grouping.
The first command executed in the STARTUP.CMD (shown above) is "NET
START SERVER /AUDITING:YES". This generates lines 1-10 of the audit
log output.
As noted above, all entries may be logically paired to show:
- Who did an activity (at what time)
- What activity occurred
Example
1 *** Service 12-01-92 05:01pm <Who performed>
2 NETLOGON Installed <What activity>
The *** on lines 1, 3, 5, 7, and 9 further above indicate the server
performed the activity. After the services and server start, the audit
log contains lines 1-10.
The second command executed in the STARTUP.CMD file is "net logon
Billg password /y".
The "successful session logon" transaction is one that can be audited.
(See page 43 of the Microsoft LAN Manager "Installation and Configuration
Guide," version 2.2 for other auditing transactions).
Associated with a NET LOGON (even executed from the server) is first a
broadcast by the workstation services routines to find the server. This
broadcast results in a session establishment between the workstation and
server to receive a request (in this case, to handle a NET LOGON request).
In the course of session establishment (similar to a NET USE), a user
validation occurs. This results in an audit entry for "successful session
logon" as shown below.
11 BILLG Session 12-01-92 05:02pm
12 Logon Admin
Note: At this point we have done nothing related to the NET LOGON service,
although the user account database is used for a user/password validation.
Next, the workstation sends a Server Message Block (SMB) request to the
server service to "logon to the network". This request is received by the
server and processed by the NET LOGON service. This includes validation by
the NET LOGON service of the user's username and password. This is the
"successful network logon".
13 BILLG Log on to network 12-01-92 05:02pm
14 Logon Admin
After this, the NET LOGON session is disconnected from the server.
This is displayed in the audit log as a logoff (actually, this is a
session disconnect). For NET LOGON, this pattern of broadcast, session
establishment, NET LOGON, and disconnect is normal because NET LOGON
is session based. After the NET LOGON occurs, the session is disconnected
because no permanent session is required after the NET LOGON completes.
15 BILLG Session 12-01-92 05:02pm
16 Logoff normal, Duration: Less than one second
This reveals the following pattern (*) for NET LOGON transactions:
* session connect -> [session logon]
11 BILLG Session 12-01-92 05:02pm
12 Logon Admin
* logon validation -> [network logon]
13 BILLG Log on to network 12-01-92 05:02pm
14 Logon Admin
* session disconnect -> [session disconnect]
15 BILLG Session 12-01-92 05:02pm
16 Logoff normal, Duration: Less than one second
Finally, if persistent connections are enabled (as in this case), a
NET USE may occur, resulting in session establishment of a more
permanent session logon (depending on the autodisconnect value).
17 BILLG Session 12-01-92 05:02pm
18 Logon Admin