Logon Type 3
Shawnda Regal
How can i configure that alert in such a way that there is only type 3 logon with no preceding logon type 10 because when i RDP in to the server i get results for both logon type 3 and preceding logon type 10.
Microsoft provides more detailed description of logon types at -us/library/cc787567(v=ws.10).aspx (Audit Logon Events).
This topic at the Microsoft site is about logon events auditing for pre-Vista operating systems, but it looks like Logon Type constants are valid for all Windows operating systems.
An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account. However, if a user logs on with a domain account, this logon type will appear only when a user really authenticated in the domain (by a domain controller). In case if the DC not available, but the user provided valid domain credentials cached in the local PC, Windows will log an event with logon type = 11.
The description of this logon type clearly states that the event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.). As we learned in the previous post, the connection with logon type = 3 could be established even from a local computer.
An event with logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. Note that when a user unlocks computer, Windows creates a new logon session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634). When you are switching between logged on user accounts with Fast User Switching feature, you may think that such switching generates event 4624 with logon type = 7 because it looks like you lock and unlock workstation. However Windows generates events 4624 with logon type = 2 (interactive). When Audit Failure logon event (4625) is registered with logon type = 7, this commonly means that either you made a typo when entering the password, or someone is trying to break into the computer.
I believe that you should never see logon events with logon type = 8. This event is generated when a password comes from the net as a clear text. Such events may occur when a user logs on IIS (Internet Information Services) with basic access authentication method. Transferring passwords in plaintext format is dangerous because the passwords could be sniffed and revealed. So if basic authentication is the only option for you, you should protect your network connection (using encryption protocols like SSL/TLS, creating virtual private network etc.).
Logon type 9: NewCredentials. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
This will run Event Log Explorer even if you provided a wrong password. This happens because it uses a cloned current credentials to run the program (a new logon session will be opened). And logon event 4624 will be logged with logon type = 9 (logoff event will be logged when you quit the application). But what about SERVER? The server will register 4624 or 4625 events in Security log with logon type = 3 but only when the application from WORK computer will try to access a shared resource on the server, e.g. Event Log Explorer will try to open resource file with event descriptions.
Logon type 11: CachedInteractive. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Now I am trying to install it on a different machine through the .msi file, but I am having an issue, on the installation steps there is one step which asks me "Logon type" which gives me 2 choices as it can be seen on the image. I do not know the differences between them and also it only lets me choose run service as a local system(not recommended) adn this install jenkins on the windows/system32 folder. I have been loking to tutorials but it seems all of them skip this step. I have also search on here with no success. Does anyone know the difference and how to use the recommended one? I have tried to enter my windows and jenkins credentials and nothing. What user and password are to be entered on this window?
I am kind of stumped on this one. We have a ton of logon failures daily for one of our administrator accounts on a file share server. There are no services running under this account nor are there any scheduled tasks. I can't figure out what is trying to log in under the account. Here are the details of the failure in Event Viewer:
%uFEFFWe have observerd lots of logon failures for one of our administrator accounts on a our server. We are not able to figure out what is trying to log in under the account and what is this error.. Here are the details of the failure in Event Viewer:
Desktop flow execution or connection creation is failing with the error status code -1073741477 and message: A user has requested a type of logon (e.g., interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
Does anyone actually like scrolling through the Event Viewer? Well the filtering is nice, but why make yourself do all that work? Besides, what is login type 7 or how do you filter for specific users? Let me show you in PowerShell (no idea if that wink will actually show up or just be :wink:)
To be honest, I didn't know where to begin with this one. The error "the user has not been granted the requested logon type at this computer" presumably refers to the system account that docker runs under. No idea how to check those permissions or why they would change. I initially resorted to rebooting.
Windows recognizes different types of logon with subtly different securityimplications. Bitvise SSH Server can be configured, on a per-account or per-group basis, to use either of the following two logon types:
Network logon. By default, this logon type is configured in SSH Server Advanced settings for both Windows and virtual group settings entries. This logon type is therefore used, by default, for all accounts.
Use of the Network logon type allows the user to log in via SSH even if the underlying Windows account is not granted the Windows security privilege Log on locally. However, on Windows Server 2003, the default filesystem permissions normally block access to cmd.exe and other command line tools when a logon session does not have the Interactive logon type.
Interactive logon. Use of the Interactive logon type requires a Windows account to be granted the Windows security privilege to Log on locally. By default, this logon type is not used by the SSH Server because a significant number of Windows servers are configured in such a way that this privilege is not granted for non-Administrator accounts.
For some purposes, the Interactive logon type is required. For example, it is not possible to access server-side printers in an SSH terminal session unless the SSH user is either an administrator, or has the Interactive logon type. The Interactive logon type is also required on Windows Server 2003 for terminal shell access.
We recommend that users who require terminal shell access use the Interactive logon type. It will usually also make sense for them to log in via SSH as Windows users, not as virtual accounts.
On the other hand, we recommend that users who will use only file transfer and/or tunneling use the Network logon type. If this use is outside of a domain environment, it may also make sense (less overhead) to create for these users virtual accounts, which are internal to Bitvise SSH Server, instead of creating a separate account in Windows for each user.
Essential Windows security settings that affect logon types are configured in the Group Policy Editor. This can be opened using the Windows Run dialog (Windows key + R) and starting: gpedit.msc. The settings are located under:
Deny log on locally. For accounts that match this setting, login will be prohibited using the Interactive logon type, even if the account matches the setting Allow log on locally.
Allow log on locally. For accounts that match this setting, login will be permitted using the Interactive logon type, unless the account also matches the setting Deny log on locally.
Deny access to this computer from the network. For accounts that match this setting, login will be prohibited using the Network logon type, even if the account matches the setting Access this computer from the network.
Access this computer from the network. For accounts that match this setting, login will be permitted using the Network logon type, unless the account also matches the setting Deny access to this computer from the network.
Windows logon types are described by Microsoft as part of documentation for the LogonUser API. At the time of this writing, authoritative descriptions of logon types NETWORK and NETWORK_CLEARTEXT are as follows:
35fe9a5643