Auditing User Authentication

• Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
• Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY

This article contains tips for interpreting security auditing events related to user authentication.

These events will all appear in the Security event log and will be logged with a source of Security.

MORE INFORMATION

EventID   Description
-------   -----------
   514     An authentication package has been loaded by the LSA
   515     A trusted logon process has registered with the LSA
   518     A notification package has been loaded by the Security
           Account Manager
   528     Successful Logon
   529     Logon Failure: Unknown user name or bad password
   530     Logon Failure: Account logon time restriction violation
   531     Logon Failure: Account currently disabled
   532     Logon Failure: The specified user account has expired
   533     Logon Failure: User not allowed to logon at this computer
   534     Logon Failure: The user has not been granted the requested
           logon type at this machine
   535     Logon Failure: The specified account's password has expired
   536     Logon Failure: The NetLogon component is not active
   537     Logon Failure: An unexpected error occurred during logon
   538     User Logoff
   539     Logon Failure: Account locked out

   ARTICLE-ID: 174074
   TITLE     : Security Event Descriptions

Security Identifiers (SIDs)

Some security events report SIDs instead of user names. In this case, it is often difficult to determine which user account is being referred to in the event.

It is possible to build a list of mappings of user names to SIDs by performing the following steps:

1. Dump the user list to a text file with the NET USERS command or with Addusers.exe.

2. Modify this text file to remove unwanted information (headers, and so forth).

3. Modify the resulting list of user names into a batch file, using the GETSID resource kit utility to translate each user name into a SID. Redirect the output to a text file.

4. When you encounter a SID, search the text file (created previously) for that SID. This will place you on the line with the user's name.

Logon Type

   2  Interactive
   3  Network
   4  Batch
   5  Service
   6  Proxy
   7  Unlock Workstation
   (0 & 1 are invalid)

Logon Process

  "msv1_0" or "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0":
     msv1_0.dll, the default authentication package

  "KSecDD":
     ksecdd.sys, the security device driver

  "User32" or "WinLogon\MSGina":
     winlogon.exe & msgina.dll, the authentication user interface

  "SCMgr":
     The Service Control Manager

  "LAN Manager Workstation Service"

  "advapi"
   API call to LogonUser

User Rights

For more detail on user rights, please see the following Microsoft Knowledge Base article:

   ARTICLE-ID: Q101366
   TITLE     : Definition and List of Windows NT Advanced User Right

   ARTICLE-ID: Q163905
   TITLE     : Auditing User Right Assignment Changes

Supplemental Information

For more information on user authentication, please see the following Microsoft Knowledge Base article:

   ARTICLE-ID: Q102716
   TITLE     : User Authentication with Windows NT

   ARTICLE-ID: Q122422
   TITLE     : Example of Remote Logon with Windows NT Server