Why not put the service accounts in a group and apply GPO that denies logon type 2 (Logon Locally) via User Rights Assignment.
1) The common logon types are the following. a) Logon Type (2): Console logon - interactive from the computer console b) Logon Type (3): Network logon - network mapping (net use/net view) c) Logon Type (4): Batch logon - scheduler d) Logon Type (5): Service logon - service uses an account e) Logon Type (6): Proxy Logon f) Logon Type (7): Unlock Workstation g) Logon Type (8): NetworkClearText ( Reserved for cleartext Logons over the network) h) Logon Type (9): NewCredentials (Initated by using runas command with the /netonly ) i) Logon Type (10): Remote Interactive (Recorded for Terminal Service Logons) j) Logon Type (11): Cached Interactive (Recorded when cached credentials are used to logon locally to a computer) k) Logon Type (13): CachedUnlock (Recorded when the computer was unlocked and the user's credentials were verified against previously cached credentials.) Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, June 28, 2012 10:37 AM To: NT System Admin Issues Subject: Identifying service accounts that are loggin in interactively Is anyone else tasked with doing this? This is a new requirement from audit. We have about 1,000 accounts that are being used to run services in the environment. So audit is asking how we know these accounts aren't being used to logon interactively. All security logs are being shipped to or SEIM system. The question is how to identify this. My thought it that it would have to be an event from the member servers security log with an event ID of 528 where the logon type is not 5. Environment is FFL 2003. Initially I thought we would be able to distinguish this from just the domain controllers security logs. but that does not seem to be the case. Just looking at the domain controller logs, there doesn't seem to be any differentiation between the logon type, that is captured at the machine they are logging on from. If anyone has recommendations on how to do this differently or if they see a problem I'm missing, let me know. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com <mailto:> The Guardian Life Insurance Company of America www.guardianlife.com <http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image001.jpg>>
